[Bro] Trying to drop addresses...
Randolph Reitz
rreitz at fnal.gov
Fri Dec 5 13:43:46 PST 2008
I am running...
[brother at dtmb ~/work]$ svn info
Path: .
URL: http://svn.icir.org/bro/branches/robin/work
Repository Root: http://svn.icir.org/bro
Repository UUID: 040645db-9414-0410-b69e-f32faa466a09
Revision: 6442
Node Kind: directory
Schedule: normal
Last Changed Author: robin
Last Changed Rev: 6440
Last Changed Date: 2008-12-03 12:42:35 -0600 (Wed, 03 Dec 2008)
on
[brother at dtmb ~]$ uname -a
FreeBSD dtmb.fnal.gov 7.1-PRERELEASE FreeBSD 7.1-PRERELEASE #5: Thu
Dec 4 10:49:18 CST 2008 rreitz at dtmb.fnal.gov:/usr/obj/usr/src/sys/
DTMB i386
I want to enable catch-and-release. So I modified 'policy/local/
local.bro' with ...
# use catch-and-release
redef Drop::use_catch_release = T;
redef Drop::can_drop_connectivity = T;
...
redef notice_action_filters +=
{
...
[Drop::AddressDropIgnored] = tally_notice_type_and_ignore,
[Drop::AddressDropped] = drop_source,
...
};
I installed with 'cluster install' followed by 'cluster restart'. I
see lots of 'PortScan' and 'AddressScan' in the logs, but nothing is
dropping.
[brother at dtmb ~]$ cluster print Drop::drop_info
bro Drop::drop_info = {
}
I noticed that the notice_policy does not contain a 'NOTICE_DROP'
action...
[brother at dtmb ~/work]$ cluster print notice_policy
bro notice_policy = {
[result=NOTICE_FILE, pred=anonymous-function
{
if (Scan::n$note == AddressRestored && Scan::n?$src && Scan::n$src in
Scan::shut_down_thresh_reached)
Scan::shut_down_thresh_reached[Scan::n$src] = F;
return (F);
}, priority=1],
[result=NOTICE_ALARM_ALWAYS, pred=anonymous-function
{
return (T);
}, priority=0]
}
Do I need to modify the notice_policy? I don't see any NOTICE_DROP
examples in notice-policy.bro.
Thanks,
Randy
More information about the Bro
mailing list