We will now expand on what we've shown so far to drop connections based on information provided by InternetDB.
InternetDB returns a tags property that describes the type of device at a high-level. You can see the list of available tags in the Datapedia. For example, the below Zeek script will block connections if the remote IP is part of a cloud:
event NetControl::init() {
local debug_plugin = NetControl::create_debug(T);
NetControl::activate(debug_plugin, 0);
}
event new_connection(c: connection) {
local b = InternetDB::lookup_internetdb_api(c$id$resp_h);
if ( b?$tags ){
if ( "cloud" in b$tags ){
NetControl::drop_connection(c$id, 1min);
}
}
}
Other notable tags are vpn, proxy, compromised and malware. To run this script, we need a Packet Capture file, you can download an example from here:
$ zeek -r example_packet.pcap block_cloud.zeek
$ cat netcontrol.log
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path netcontrol
#open 2022-10-27-16-01-38
#fields ts rule_id category cmd state action target entity_type entity mod msg priority expire location plugin
#types time string enum string enum string enum string string string string int interval string string
0.000000 - NetControl::MESSAGE - - - - - - - activating plugin with priority 0 - - - Debug-All
0.000000 - NetControl::MESSAGE - - - - - - - activation finished - - - Debug-All
0.000000 - NetControl::MESSAGE - - - - - - - plugin initialization done - - - -
1664991487.260190 2 NetControl::RULE ADD NetControl::REQUESTED NetControl::DROP NetControl::FORWARD NetControl::CONNECTION 192.168.1.6/39222<->52.44.228.39/443 - - 0 60.000000 - Debug-All
1664991487.260190 2 NetControl::RULE ADD NetControl::SUCCEEDED NetControl::DROP NetControl::FORWARD NetControl::CONNECTION 192.168.1.6/39222<->52.44.228.39/443 - - 0 60.000000 - Debug-All
1664991501.098920 3 NetControl::RULE ADD NetControl::REQUESTED NetControl::DROP NetControl::FORWARD NetControl::CONNECTION 192.168.1.6/47390<->108.157.14.41/443 - - 0 60.000000 - Debug-All
1664991501.098920 3 NetControl::RULE ADD NetControl::SUCCEEDED NetControl::DROP NetControl::FORWARD NetControl::CONNECTION 192.168.1.6/47390<->108.157.14.41/443 - - 0 60.000000 - Debug-All
1664991505.629304 4 NetControl::RULE ADD NetControl::REQUESTED NetControl::DROP NetControl::FORWARD NetControl::CONNECTION 192.168.1.6/50618<->52.201.44.159/443 - - 0 60.000000 - Debug-All
1664991505.629304 4 NetControl::RULE ADD NetControl::SUCCEEDED NetControl::DROP NetControl::FORWARD NetControl::CONNECTION 192.168.1.6/50618<->52.201.44.159/443 - - 0 60.000000 - Debug-All
1664991513.821273 5 NetControl::RULE ADD NetControl::REQUESTED NetControl::DROP NetControl::FORWARD NetControl::CONNECTION 192.168.1.6/60790<->34.234.117.130/443 - - 0 60.000000 - Debug-All
1664991513.821273 5 NetControl::RULE ADD NetControl::SUCCEEDED NetControl::DROP NetControl::FORWARD NetControl::CONNECTION 192.168.1.6/60790<->34.234.117.130/443 - - 0 60.000000 - Debug-All
#close 2022-10-27-16-01-41
As you can see in the netcontrol.log file. We are blocking some specific IPs like 34.234.117.130/443, 52.201.44.159/443 which contain the tag cloud InternetDB can detect many tags name that you can check it on Shodan Datapedia. Incase you want to block other access, please change the name access that you want to block in this line:
if ( "cloud" in b$tags )
Another helpful property that InternetDB supports is vulns which provides a list of vulnerabilities that the IP might be vulnerable to. If you want to block access from these potentially unsafe IPs here is another example:
event NetControl::init() {
local debug_plugin = NetControl::create_debug(T);
NetControl::activate(debug_plugin, 0);
}
event new_connection(c: connection) {
local b = InternetDB::lookup_internetdb_api(c$id$resp_h);
if ( b?$vulns ){
if ( b$vulns != "[]" ){
NetControl::drop_connection(c$id, 1min);
}
}
}
We provide another Packet capture file for you to test this script, download here
$ zeek -r example_packet.pcap block_vulns.zeek
$ cat netcontrol.log
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path netcontrol
#open 2022-10-27-16-20-17
#fields ts rule_id category cmd state action target entity_type entity mod msg priority expire location plugin
#types time string enum string enum string enum string string string string int interval string string
0.000000 - NetControl::MESSAGE - - - - - - - activating plugin with priority 0 - - - Debug-All
0.000000 - NetControl::MESSAGE - - - - - - - activation finished - - - Debug-All
0.000000 - NetControl::MESSAGE - - - - - - - plugin initialization done - - - -
1537883950.179469 2 NetControl::RULE ADD NetControl::REQUESTED NetControl::DROP NetControl::FORWARD NetControl::CONNECTION 192.168.103.206/44511<->80.241.211.102/443 - - 0 60.000000 - Debug-All
1537883950.179469 2 NetControl::RULE ADD NetControl::SUCCEEDED NetControl::DROP NetControl::FORWARD NetControl::CONNECTION 192.168.103.206/44511<->80.241.211.102/443 - - 0 60.000000 - Debug-All
#close 2022-10-27-16-20-21