[Bro] Trying to drop addresses...

Randolph Reitz rreitz at fnal.gov
Fri Dec 5 13:43:46 PST 2008


I am running...

[brother at dtmb ~/work]$ svn info
Path: .
URL: http://svn.icir.org/bro/branches/robin/work
Repository Root: http://svn.icir.org/bro
Repository UUID: 040645db-9414-0410-b69e-f32faa466a09
Revision: 6442
Node Kind: directory
Schedule: normal
Last Changed Author: robin
Last Changed Rev: 6440
Last Changed Date: 2008-12-03 12:42:35 -0600 (Wed, 03 Dec 2008)

on

[brother at dtmb ~]$ uname -a
FreeBSD dtmb.fnal.gov 7.1-PRERELEASE FreeBSD 7.1-PRERELEASE #5: Thu  
Dec  4 10:49:18 CST 2008     rreitz at dtmb.fnal.gov:/usr/obj/usr/src/sys/ 
DTMB  i386

I want to enable catch-and-release.  So I modified 'policy/local/ 
local.bro' with ...

# use catch-and-release
redef Drop::use_catch_release = T;
redef Drop::can_drop_connectivity = T;
...
redef notice_action_filters +=
     {
...
         [Drop::AddressDropIgnored] = tally_notice_type_and_ignore,
         [Drop::AddressDropped] = drop_source,
...
         };

I installed with 'cluster install' followed by 'cluster restart'.  I  
see lots of 'PortScan' and 'AddressScan' in the logs, but nothing is  
dropping.

[brother at dtmb ~]$ cluster print Drop::drop_info
        bro   Drop::drop_info = {

}

I noticed that the notice_policy does not contain a 'NOTICE_DROP'  
action...

[brother at dtmb ~/work]$ cluster print notice_policy
        bro   notice_policy = {
	[result=NOTICE_FILE, pred=anonymous-function
	{
	if (Scan::n$note == AddressRestored && Scan::n?$src && Scan::n$src in  
Scan::shut_down_thresh_reached)
		Scan::shut_down_thresh_reached[Scan::n$src] = F;

	return (F);
	}, priority=1],
	[result=NOTICE_ALARM_ALWAYS, pred=anonymous-function
	{
	return (T);
	}, priority=0]
}

Do I need to modify the notice_policy?  I don't see any NOTICE_DROP  
examples in notice-policy.bro.

Thanks,
Randy




More information about the Bro mailing list