scan
functionsThe standard scan
script provides the following functions:
drop_address (a: addr, msg: string)
Dropping connectivity requires all of the following to be true:
can_drop_connectivity
is true.
never_shut_down
.
If these checks succeed, then the script simply attempts to invoke a shell script drop-connectivity with a single argument, the IP address to block. It is up to you to provide the script, using whatever interface to your router/firewall you have available.
The function does not return a value.
check_scan (c: connection, established: bool, reverse: bool): bool
c
. If established
is true, then the connection
was successfully established, otherwise not. If reverse
is true,
then the function should consider the originator/responder fields in
the connection's record as reversed. Note: This last is needed
for some unusual new connections that may reflect stealth scanning.
For example, when the event engine sees a SYN-ack without a corresponding
SYN, it instantiates a new connection with an assumption that the SYN-ack
came from the responder (and it missed the initial SYN either due to
split routing (See Split routing), a packet drop (See Packet drops),
or Bro having started running after the initial SYN was sent).
If the originating host's activity matches the policy defined by the variables above, then the analyzer logs this fact, and possibly attempts to drop connectivity to the originating host. The function also schedules an event for 24 hours in the future (or when Bro terminates) to generate a summary of the scanning activity (so if the host continues scanning, you get a report on how many hosts it wound up scanning). Deficiency:This time interval should be selectable.
Note: Purported scans of the FTP data port (20/tcp
) or the ident
service (113/tcp
) are never reported or dropped, as experience
has shown they yield too many false hits.
The function does not return a value.