blacklist.zeek

 avatar
user_2498026
plain_text
7 months ago
1.0 kB
3
Indexable
Never
@load base/protocols/conn
@load base/frameworks/notice
@load base/frameworks/netcontrol/main.zeek
@load base/frameworks/notice/main
@load base/frameworks/netcontrol
@load policy/frameworks/netcontrol/catch-and-release

export{
redef enum  Notice::Type +={
		Blacklist_IP,
	};
}
type Idx1: record {
	ip: addr;
};
type Val1: record {
	reason: string;
};
global denylist: table[addr] of Val1 = table();
event zeek_init() {
	Input::add_table([$source="data.file", $name="denylist",$idx=Idx1, $val=Val1,  $destination=denylist]);
	Input::remove("denylist");
}
event Input::end_of_data(name: string, source: string) {
    # now all data is in the table
    print denylist;
}
event connection_established(c: connection){
	if(c$id$orig_h in denylist){
		NOTICE([$note=Blacklist_IP,$msg=fmt("Blacklist IP: %s detection has connected from your server !",c$id$orig_h)]);
		print fmt("Blacklist IP detection connected which is %s at port %s",c$id$orig_h,c$id$resp_p);
		NetControl::drop_address(192.168.141.128,1 sec);
	}
}
Leave a Comment