Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-11 02:58:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
zeek/scripts/base/frameworks/notice/actions/drop.bro
Johanna Amann 51b8dee70b Adjust default priority of ACTION_DROP hook. 
We use -5, just like all other normal notice framework actions.
2016-07-26 13:39:40 -07:00

35 lines
895 B
Text
Raw Blame History

##! This script extends the built in notice code to implement the IP address
##! dropping functionality.
@load ../main
@load base/frameworks/netcontrol
module Notice;
export {
redef enum Action += {
## Drops the address via :bro:see:`NetControl::drop_address_catch_release`.
ACTION_DROP
};
redef record Info += {
## Indicate if the $src IP address was dropped and denied
## network access.
dropped: bool &log &default=F;
};
}
hook notice(n: Notice::Info) &priority=-5
{
if ( ACTION_DROP in n$actions )
{
local ci = NetControl::get_catch_release_info(n$src);
if ( ci$watch_until == double_to_time(0) )
{
# we have not seen this one yet. Drop it.
local addl = n?$msg ? fmt("ACTION_DROP: %s", n?$msg) : "ACTION_DROP";
local res = NetControl::drop_address_catch_release(n$src, addl);
n$dropped = res$watch_until != double_to_time(0);
}
}
}
Reference in a new issue View git blame Copy permalink