Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-05 08:08:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
zeek/testing/btest/scripts/base/frameworks/netcontrol/acld-hook.bro
Johanna Amann 7ef431808d Rewrite internal handling of rules. 
This has no user-facing changes. It makes the internal handling of rules
much easier (no crazy duplicate rules in case our rules are added to
several backends).

It also fixes several open ends and small bugs in the process.
2016-03-09 15:43:47 -08:00

122 lines
3.6 KiB
Text
Raw Blame History

# @TEST-SERIALIZE: brokercomm
# @TEST-REQUIRES: grep -q ENABLE_BROKER $BUILD/CMakeCache.txt
# @TEST-EXEC: btest-bg-run recv "bro -b ../recv.bro broker_port=$BROKER_PORT >recv.out"
# @TEST-EXEC: btest-bg-run send "bro -b -r $TRACES/tls/ecdhe.pcap --pseudo-realtime ../send.bro broker_port=$BROKER_PORT >send.out"
# @TEST-EXEC: btest-bg-wait 20
# @TEST-EXEC: btest-diff recv/recv.out
# @TEST-EXEC: btest-diff send/send.out
@TEST-START-FILE send.bro
@load base/frameworks/netcontrol
const broker_port: port &redef;
redef exit_only_after_terminate = T;
event NetControl::init()
{
suspend_processing();
local netcontrol_acld = NetControl::create_acld(NetControl::AcldConfig($acld_host=127.0.0.1, $acld_port=broker_port, $acld_topic="bro/event/netcontroltest"));
NetControl::activate(netcontrol_acld, 0);
}
event NetControl::init_done()
{
continue_processing();
}
event BrokerComm::outgoing_connection_established(peer_address: string,
peer_port: port,
peer_name: string)
{
print "BrokerComm::outgoing_connection_established", peer_address, peer_port;
}
event BrokerComm::outgoing_connection_broken(peer_address: string,
peer_port: port)
{
terminate();
}
hook NetControl::acld_rule_policy(p: NetControl::PluginState, r: NetControl::Rule, ar: NetControl::AclRule)
{
# use nullzero instead of drop for address drops
if ( r$ty == NetControl::DROP && r$entity$ty == NetControl::ADDRESS && ar$command == "drop" )
ar$command = "nullzero";
}
event connection_established(c: connection)
{
local id = c$id;
local flow1 = NetControl::Flow(
$src_h=addr_to_subnet(c$id$orig_h),
$dst_h=addr_to_subnet(c$id$resp_h)
);
local e1: NetControl::Entity = [$ty=NetControl::FLOW, $flow=flow1];
local r1: NetControl::Rule = [$ty=NetControl::DROP, $target=NetControl::FORWARD, $entity=e1, $expire=10hrs, $location="here"];
local flow2 = NetControl::Flow(
$dst_p=c$id$resp_p
);
local e2: NetControl::Entity = [$ty=NetControl::FLOW, $flow=flow2];
local r2: NetControl::Rule = [$ty=NetControl::DROP, $target=NetControl::FORWARD, $entity=e2, $expire=10hrs, $location="there"];
NetControl::add_rule(r1);
NetControl::add_rule(r2);
NetControl::drop_address(id$orig_h, 10hrs);
}
event NetControl::rule_added(r: NetControl::Rule, p: NetControl::PluginState, msg: string)
{
print "rule added", r$entity, r$ty;
NetControl::remove_rule(r$id);
}
event NetControl::rule_removed(r: NetControl::Rule, p: NetControl::PluginState, msg: string)
{
print "rule removed", r$entity, r$ty;
}
@TEST-END-FILE
@TEST-START-FILE recv.bro
@load base/frameworks/netcontrol
@load base/frameworks/broker
const broker_port: port &redef;
redef exit_only_after_terminate = T;
event bro_init()
{
BrokerComm::enable();
BrokerComm::subscribe_to_events("bro/event/netcontroltest");
BrokerComm::listen(broker_port, "127.0.0.1");
}
event BrokerComm::incoming_connection_established(peer_name: string)
{
print "BrokerComm::incoming_connection_established";
}
event NetControl::acld_add_rule(id: count, r: NetControl::Rule, ar: NetControl::AclRule)
{
print "add_rule", id, r$entity, r$ty, ar;
BrokerComm::event("bro/event/netcontroltest", BrokerComm::event_args(NetControl::acld_rule_added, id, r, ar$command));
}
event NetControl::acld_remove_rule(id: count, r: NetControl::Rule, ar: NetControl::AclRule)
{
print "remove_rule", id, r$entity, r$ty, ar;
BrokerComm::event("bro/event/netcontroltest", BrokerComm::event_args(NetControl::acld_rule_removed, id, r, ar$command));
if ( r$cid == 4 )
terminate();
}
@TEST-END-FILE
Reference in a new issue View git blame Copy permalink