The Bro distribution includes a program called rst
that will terminate
a active connection by sending a TCP "reset" packet to the sender. The
ftp
and login
analyzers will automatically call reset if the following
flag is defined in your site/site.local.bro
file:
redef activate_rst = 1;
(Note: this is currently not implemented! Coming soon)
All connections from a forbidden_id
get terminated, as well as any service
defined in terminate_successful_inbound_service. For example, to terminate all successful attempts
to access the RPC portmapper via TCP from an external network, you would add this:
redef terminate_successful_inbound_service += { [111/tcp] = "disallow external portmapper" };