From BroWiki

Bro includes two important active response capabilities that allow sites to use Bro for intrusion prevention, and not just intrusion detection. These include the ability to terminate a connection known to be an intrusion, and the ability to update a blocking router's access control list (ACL) to block attacking hosts.

Terminating a Connection

The Bro distribution includes a program called rst that will terminate a active connection by sending a TCP "reset" packet to the sender. The ftp and login analyzers look for connections that should be terminated. All connections from a hot-ids forbidden_id get flagged for termination, as well as any service defined in terminate_successful_inbound_service.

Connection termination is off by default. To enable it, redefine the following flag in your site/site.local.bro file:

 redef activate_terminate_connection = T ;

Connections are terminated using the rst program, which is installed in $BROHOME/bin. To use this program change the file permission to be setuid root. Whenever a connection is terminated you will see a TerminatingConnection alarm. If Bro detects a connection that Bro thinks is a candidate for termination, but activate_terminate_connection = F, then you will see the alarm: IgnoreTerminatingConnection.

You may want to add a number of services to the list of forbidden services. For example, to terminate all successful attempts to access the RPC portmapper via TCP from an external network, you would add this:

   redef terminate_successful_inbound_service += {
       [111/tcp] = "disallow external portmapper"
   }; 

This will prevent NFS connections from external hosts. P2P services such as KaZaa can also be terminated in this manner. You can make exceptions to terminate_successful_inbound_service by redefing allow_services_to. See hot.bro for details.

Updating Router ACL

Bro can be used to send the IPs of scanning or attacking hosts to your router, so that the router can drop these hosts.

Since every router does this differently, you will need to write a script that works for your router.

To active your custom drop script, add this to your hostname.bro file:

redef can_drop_connectivity  = T;
redef drop_connectivity_script = "my_drop_script";

At LBL we use a program called acld to update the ACLs in our boarder routers on the fly. This code is available at: ftp://ftp.ee.lbl.gov/acld.tar.gz

User Manual Overview of Bro | Requirements | Installation and Configuration Running Bro | Bro Output | Analysis of Incidents and Alarms | Customizing Bro Intrusion Prevention Using Bro | Performance Tuning | Bulk Traces and Off-line Analysis Reference Manual