To anyone who might be interested I’ve posted a Bro module along with instructions for blocking traffic flows with a timeout (using iptables and bash):
http://inspirated.com/2013/07/01/blocking-traffic-flows-selectively-with-a-timeout-from-bro-ids
(As a side note, this follows my earlier port of Bro on OpenWRT: http://inspirated.com/2012/12/10/bro-ids-on-openwrt )
Thanks,
Cool! Nice to see that people are moving forward with trying to make standardized interfaces for this stuff.
It's actually similar to part of the Reaction framework that I have a bit of work done on. We've been waiting on a few extra features to get into Bro first though. Are you planning on doing any additional work on this? We're always willing to prod people in the right direction if they're interested in working on Bro more closely.
Thanks!
.Seth
I do plan on adding traffic shaping APIs which call tc so the Reaction
framework does sound like a nice idea. Unfortunately I wasn't able to find out
about it on the Bro website.
Regards,
There isn't really anything written about it, but there has been a lot of internal discussion about it over the past couple of years. It's just taken us a while to get everything in place to do it right.
What sort of traffic shaping primitives are you considering?
.Seth
To start off with, we plan on exposing APIs in Bro which would let it:
* Mark 5-tuple flows in mangle table
* Define bandwidth rates for marked traffic
It's pretty simplistic, but our goal is to allow Bro developers to say something
along the lines: "Allocate more bandwidth to traffic that's going out to IP
w.x.y.z."
Regards,