Node: Teminating a connection, Next: , Up: Intrusion Prevention Using Bro



Teminating a connection

The Bro distribution includes a program called rst that will terminate a active connection by sending a TCP "reset" packet to the sender. The ftp and login analyzers will automatically call reset if the following flag is defined in your site/site.local.bro file:

       redef activate_rst = 1;
     

(Note: this is currently not implemented! Coming soon)

All connections from a forbidden_id get terminated, as well as any service defined in terminate_successful_inbound_service. For example, to terminate all successful attempts to access the RPC portmapper via TCP from an external network, you would add this:

    redef terminate_successful_inbound_service += {
        [111/tcp] = "disallow external portmapper"
    };