mirror of
https://github.com/zeek/zeek.git
synced 2025-10-03 07:08:19 +00:00
d19da7a60a
* Removed terminate-connection.bro as a dependency on notice-actions-filters.bro * geo_location type now has full set of defaults. * Many conn.bro logged variables are now optional instead of having defaults. * Many updates to the notice.bro script. Probably many more to come. Mostly involved with modernizing it by extracting functionality, reducing chained dependencies, and modularization. * Updated used Notice API in ssh.bro to the modified notice.bro script.
77 lines
2 KiB
Text
77 lines
2 KiB
Text
# $Id$
|
|
|
|
@load site
|
|
@load notice
|
|
|
|
# Ugly: we need the following from conn.bro, but we can't soundly load
|
|
# it because it in turn loads us.
|
|
global full_id_string: function(c: connection): string;
|
|
|
|
# TODO: this is a notice action filter but it shouldn't cause this
|
|
# script to be come a dependency on notice-action-filters.bro
|
|
# Figure out where to put this!
|
|
function drop_source_and_terminate(n: Notice::Info, a: Notice::Action): Notice::Action
|
|
{
|
|
if ( n?$conn )
|
|
TerminateConnection::terminate_connection(n$conn);
|
|
|
|
return NOTICE_DROP;
|
|
}
|
|
|
|
|
|
module TerminateConnection;
|
|
|
|
export {
|
|
redef enum Notice += {
|
|
TerminatingConnection, # connection will be terminated
|
|
TerminatingConnectionIgnored, # connection terminated disabled
|
|
};
|
|
|
|
# Whether we're allowed (and/or are capable) to terminate connections
|
|
# using "rst".
|
|
const activate_terminate_connection = F &redef;
|
|
|
|
# Terminate the given connection.
|
|
global terminate_connection: function(c: connection);
|
|
|
|
}
|
|
|
|
function terminate_connection(c: connection)
|
|
{
|
|
local id = c$id;
|
|
|
|
if ( activate_terminate_connection )
|
|
{
|
|
local local_init = is_local_addr(id$orig_h);
|
|
|
|
local term_cmd = fmt("rst %s -n 32 -d 20 %s %d %d %s %d %d",
|
|
local_init ? "-R" : "",
|
|
id$orig_h, id$orig_p, get_orig_seq(id),
|
|
id$resp_h, id$resp_p, get_resp_seq(id));
|
|
|
|
if ( reading_live_traffic() )
|
|
system(term_cmd);
|
|
else
|
|
NOTICE([$note=TerminatingConnection, $conn=c,
|
|
$msg=term_cmd, $sub="first termination command"]);
|
|
|
|
term_cmd = fmt("rst %s -r 2 -n 4 -s 512 -d 20 %s %d %d %s %d %d",
|
|
local_init ? "-R" : "",
|
|
id$orig_h, id$orig_p, get_orig_seq(id),
|
|
id$resp_h, id$resp_p, get_resp_seq(id));
|
|
|
|
if ( reading_live_traffic() )
|
|
system(term_cmd);
|
|
else
|
|
NOTICE([$note=TerminatingConnection, $conn=c,
|
|
$msg=term_cmd, $sub="second termination command"]);
|
|
|
|
NOTICE([$note=TerminatingConnection, $conn=c,
|
|
$msg=fmt("terminating %s", full_id_string(c))]);
|
|
}
|
|
|
|
else
|
|
NOTICE([$note=TerminatingConnectionIgnored, $conn=c,
|
|
$msg=fmt("ignoring request to terminate %s",
|
|
full_id_string(c))]);
|
|
}
|