The Bro distribution includes a program called rst
that will terminate
a active connection by sending a TCP "reset" packet to the sender.
The ftp
and login
analyzers look for connections that should be terminated.
All connections from a forbidden_id
get flagged for termination, as well as any service
defined in terminate_successful_inbound_service
.
Connection termination is off by default. To enable it, redefine the following flag in your site/site.local.bro file:
redef activate_terminate_connection = T ;
Connections are terminated using the rst
program, which is installed
in $BROHOME/bin. To use this program change the file permission to be setuid root.
Whenever a connection is terminated you will see a TerminatingConnection
alarm.
If Bro detects a connection that Bro thinks is a candidate for termination, but
activate_terminate_connection = F
, then you will see the alarm:
IgnoreTerminatingConnection
.
You may want to add a number of services to the list of forbidden services. For example, to terminate all successful attempts to access the RPC portmapper via TCP from an external network, you would add this:
redef terminate_successful_inbound_service += { [111/tcp] = "disallow external portmapper" };
This will prevent NFS connections from external hosts. P2P services such as KaZaa can
also be terminated in this manner. You can make exceptions to
terminate_successful_inbound_service
by redefing allow_services_to
. See hot.bro
for details.