blacklist.zeek
user_2498026
plain_text
7 months ago
1.0 kB
3
Indexable
Never
@load base/protocols/conn @load base/frameworks/notice @load base/frameworks/netcontrol/main.zeek @load base/frameworks/notice/main @load base/frameworks/netcontrol @load policy/frameworks/netcontrol/catch-and-release export{ redef enum Notice::Type +={ Blacklist_IP, }; } type Idx1: record { ip: addr; }; type Val1: record { reason: string; }; global denylist: table[addr] of Val1 = table(); event zeek_init() { Input::add_table([$source="data.file", $name="denylist",$idx=Idx1, $val=Val1, $destination=denylist]); Input::remove("denylist"); } event Input::end_of_data(name: string, source: string) { # now all data is in the table print denylist; } event connection_established(c: connection){ if(c$id$orig_h in denylist){ NOTICE([$note=Blacklist_IP,$msg=fmt("Blacklist IP: %s detection has connected from your server !",c$id$orig_h)]); print fmt("Blacklist IP detection connected which is %s at port %s",c$id$orig_h,c$id$resp_p); NetControl::drop_address(192.168.141.128,1 sec); } }
Leave a Comment