Node: Updating Router ACL, Previous: Teminating a connection, Up: Intrusion Prevention Using Bro



Updating Router ACL

Bro can be used to send the IPs of scanning or attacking hosts to your router, so that the router can drop these hosts.

Since every router does this differently, you will need to write a script that works for your router. The Bro distribution contains a simple sample script which is installed as $BROHOME/scripts/sample_router_update.sh (coming soon).

To active your custom drop script, add this to you site.local.bro file:

 @load drop
 redef can_drop_connectivity  = T;
 redef drop_connectivity_script = "my_drop_script";

more details coming soon