@load tcp
@load udp
@load conn

module RestrictedOutgoing;

export {
	# The type of notice we'll emit
	redef enum Notice += {
		UnexpectedOutgoingConnection, 
	};	

	# Once we detect a restricted connection, don't alert on 
	# it again for some amount of time.  Note the if the connection
	# keeps happening more frequently than this interval, you won't
	# get additional alerts until the timeout has a chance to occur.
	const restricted_connection_timeout = 60 secs &redef;

	# Hosts in these subnets should never initiate connections to the
	# Internet
	const restricted_outgoing_networks: set[subnet] &redef ;

	# Destinations we don't mind if even restricted hosts visit
	const allowed_outgoing_dsts: set[subnet] &redef;

	# These sources are allowed to talk to these dests
	const allowed_outgoing_dst_pairs: set[addr,addr] &redef;

	# These subnets can contact anyone they want on these services
	const allowed_outgoing_network_service_pairs: set[subnet, port] &redef;

	global check_restricted_outgoing: function(c: connection): bool;

	# The file we log to
	const restricted_outgoing_file = open_log_file("restricted-outgoing") &redef;
}

global detected_restricted_connections: table[addr, addr, port] of time &write_expire = restricted_connection_timeout;

function check_restricted_outgoing(c: connection): bool
{
	if ( ([c$id$orig_h, c$id$resp_h, c$id$resp_p] !in detected_restricted_connections) && 
	     (c$id$orig_h in restricted_outgoing_networks) && 
	     (c$id$resp_h !in local_nets) &&
	     ([c$id$orig_h/32, c$id$resp_p] !in allowed_outgoing_network_service_pairs) &&
	     ([c$id$orig_h, c$id$resp_h] !in allowed_outgoing_dst_pairs) &&
	     (c$id$resp_h !in allowed_outgoing_dsts) ) {
		  NOTICE([$note=UnexpectedOutgoingConnection,
			  $conn=c,
	   		  $msg=fmt("Restricted Outgoing Connection : %s %s", 
					id_string(c$id),
					get_port_transport_proto(c$id$orig_p)
			   	)]);
		  print restricted_outgoing_file, fmt("%.6f Restricted Outgoing Connection : %s %s", network_time(), id_string(c$id), get_port_transport_proto(c$id$orig_p));	
		  detected_restricted_connections[c$id$orig_h, c$id$resp_h, c$id$resp_p] = network_time();	  
	  
		  return(T);
	}

	return(F);
}

event new_connection(c: connection)
{
	check_restricted_outgoing(c);
}