Bro logging connections after specific daytime

Zeek
1

Hello,

i’m currently trying to develop a script for a project scenario and i would like to know if there are some more efficient approaches and/or solutions for the current problem.

The main task is defined as logging all connections and connections-attempts occuring after a certain daytime.

At the moment i’m using the functions provided by the script located in base/protocols/conn/main.bro and the following events:

  • event bro_init() //used for initializing streams and so on

  • event bro_done() //used for clearing

  • event new_connection()

  • event connection_state_remove()

  • event content_gap() //not sure about this one

Now i got stuck with a few questions:

  1. Are those events enough to track every connection being established after a certain daytime? Or do i need additional events like: “event udp_reply()/udp_request()” and “connection_established()” ?

  2. Why does the …/conn/main.bro script fills the c$conn-attributes from Conn::Info (function set_conn()), if bro provides them automatically after an event is removed from memory?

  3. Even if i do include other scripts (e.g. base/protocols/dns/), why are the records still missing in a connection-object provided by the connection_state_remove()-event? I think it makes sense if there is a dns-event and the ssl-record is missing, but even if its a dns-event, there is still no dns-record with additional data about the connection. Am i missing something? Do i have to fill them myself by using Bro-Functions?

  4. Is it possible to determine how much data was transfered by a specific connection while that connection is still in the memory? As an example: Connection was seen at a certain time, and finished 10 seconds later. Is it possible to determine the send bytes 5 seconds after initiation?

2

Hello,

i'm currently trying to develop a script for a project scenario and i would like to know if there are some more efficient approaches and/or solutions for the current problem.

The main task is defined as logging all connections and connections-attempts occuring after a certain daytime.

At the moment i'm using the functions provided by the script located in base/protocols/conn/main.bro and the following events:

  * event bro_init() //used for initializing streams and so on

  * event bro_done() //used for clearing
  * event new_connection()

  * event connection_state_remove()

  * event content_gap() //not sure about this one

If the purpose really is to only log connection information after a certain time (where the timestamp that currently is being logged in conn.log is between specific times of the day), you can do this even easier. The way I would probably go is to use a log predicate to filter on the timestamp; Logging Framework — Bro 2.6.1 documentation gives an example to do this.

Now i got stuck with a few questions:

  1. Are those events enough to track every connection being established after a certain daytime? Or do i need additional events like: "event udp_reply()/udp_request()" and "connection_established()" ?

These should be enough. Actually, just connection_state_remove should be enough already for the connection information - the timestamp contained in the connection record is the timestamp of the first packet.

  2. Why does the ../conn/main.bro script fills the c$conn-attributes from Conn::Info (function set_conn()), if bro provides them automatically after an event is removed from memory?

I am not quite sure what you mean here (specifically the "if bro provides them automatically after an event is removed from memory" part. In any case - the Conn::Info record is the record that is used for logging. set_conn() copies information into that record so that it can be logged; the information originally is directly in the connection record, which is not suitable for logging.

  3. Even if i do include other scripts (e.g. base/protocols/dns/), why are the records still missing in a connection-object provided by the connection_state_remove()-event? I think it makes sense if there is a dns-event and the ssl-record is missing, but even if its a dns-event, there is still no dns-record with additional data about the connection. Am i missing something? Do i have to fill them myself by using Bro-Functions?

You lost me a bit on the question here. The records (like c$dns) are filled as events are raised by the protocol parser that contain the necessary information for the log field.

  4. Is it possible to determine how much data was transfered by a specific connection while that connection is still in the memory? As an example: Connection was seen at a certain time, and finished 10 seconds later. Is it possible to determine the send bytes 5 seconds after initiation?\

No, that information is not held as far as I am aware.

Johanna

3

Hello,
at first thanks a lot for your answers!!!

So i’ll try to explain my question(s) more clearly.
If i do understand it correctly, i have to use the correct event to create/initialize or refresh the data of a given or self created record and add this one as an attribute to the connection record.
Afterwards i’m able to write the information of that specific record to a log file.
My question at this point is: why is the connection record itself not suitable for logging?

While tying to realize the given scenario, i studied the given scripts of bro. In some scripts there are functions being used that i need to look up to understand their usage. As example “get_port-transport_proto” which is quite easy to understand just by reading the name.
My question is: is there any documentation aside of the script index (https://www.bro.org/sphinx/script-reference/scripts.html) where i can find those functions being listed and explained ?
It makes looking up those functions or finding the needed ones quite hard.

Greetings
Dominique