Trying to drop addresses...

I am running...

[brother@dtmb ~/work]$ svn info
Path: .
URL: http://svn.icir.org/bro/branches/robin/work
Repository Root: http://svn.icir.org/bro
Repository UUID: 040645db-9414-0410-b69e-f32faa466a09
Revision: 6442
Node Kind: directory
Schedule: normal
Last Changed Author: robin
Last Changed Rev: 6440
Last Changed Date: 2008-12-03 12:42:35 -0600 (Wed, 03 Dec 2008)

on

[brother@dtmb ~]$ uname -a
FreeBSD dtmb.fnal.gov 7.1-PRERELEASE FreeBSD 7.1-PRERELEASE #5: Thu Dec 4 10:49:18 CST 2008 rreitz@dtmb.fnal.gov:/usr/obj/usr/src/sys/DTMB i386

I want to enable catch-and-release. So I modified 'policy/local/local.bro' with ...

# use catch-and-release
redef Drop::use_catch_release = T;
redef Drop::can_drop_connectivity = T;
...
redef notice_action_filters +=
     {
...
         [Drop::AddressDropIgnored] = tally_notice_type_and_ignore,
         [Drop::AddressDropped] = drop_source,
...
         };

I installed with 'cluster install' followed by 'cluster restart'. I see lots of 'PortScan' and 'AddressScan' in the logs, but nothing is dropping.

[brother@dtmb ~]$ cluster print Drop::drop_info
        bro Drop::drop_info = {

}

I noticed that the notice_policy does not contain a 'NOTICE_DROP' action...

[brother@dtmb ~/work]$ cluster print notice_policy
        bro notice_policy = {
  [result=NOTICE_FILE, pred=anonymous-function
  {
  if (Scan::n$note == AddressRestored && Scan::n?$src && Scan::n$src in Scan::shut_down_thresh_reached)
    Scan::shut_down_thresh_reached[Scan::n$src] = F;

  return (F);
  }, priority=1],
  [result=NOTICE_ALARM_ALWAYS, pred=anonymous-function
  {
  return (T);
  }, priority=0]
}

Do I need to modify the notice_policy? I don't see any NOTICE_DROP examples in notice-policy.bro.

Thanks,
Randy

         [Drop::AddressDropped] = drop_source,

You nedd to map drop_source to the notice which you want to trigger
the drop, e.g., PortScan or AddressScan. AddressDropped is generated
when an address has been dropped *already* (which won't happen if
you don't assign drop_source to anything else).

Do I need to modify the notice_policy? I don't see any NOTICE_DROP
examples in notice-policy.bro.

That would be the alternative. You can either return NOTICE_DROP in
the notice_policy, or assign drop_source in notice_action_filters.

Have you seen this posting about the notice framework?

Robin