Greetings
I have been doing some experiments with broccoli (thanks again, Christian) and I'm trying to understand the differences between what I see in real time from broccoli vis a vis some earlier work I did using bro -r a_tcpdump_file conn.bro. Looking at the conn.bro policy, it looks like it records a connection record for the events connection_attempt, _partial_close, _finished, _half_finished, _rejected, and _reset, using record_connection(connection_record, string). The string parameter denotes the type of event, but this does not get printed. It does record a state as part of the connection record which gives you an idea of what the event was all about. Is my interpretation correct?
Thanks
Mike
Hi Mike,
Greetings
I have been doing some experiments with broccoli (thanks again, Christian)
and I'm trying to understand the differences between what I see in real time
from broccoli vis a vis some earlier work I did using bro -r a_tcpdump_file
conn.bro. Looking at the conn.bro policy, it looks like it records a
connection record for the events connection_attempt, _partial_close,
_finished, _half_finished, _rejected, and _reset, using
record_connection(connection_record, string).
uhmmm is this using a recent Bro? On 0.9x record_connection() is only
triggered when a connection is expired, that is, from event
connection_state_remove(). Also, its signature is
function record_connection(f: file, c: connection)
The string parameter denotes
the type of event, but this does not get printed. It does record a state as
part of the connection record which gives you an idea of what the event was
all about. Is my interpretation correct?
Yes, record_connection() prints a summary of the connection's lifetime,
including a short summary of how Bro thinks it got created, torn down,
etc. See
http://www.bro-ids.org/Bro-reference-manual/Connection-summaries.html
Cheers,
Christian.
Ah I see -- you want the equivalent of record_connection() in your
Broccoli client. I'd recommend modeling your code directly after 0.8's
record_connection()'s implementation.
On the Broccoli end, once you obtain a port as a pointer to a BroPort
structure, you can tell the transport layer type by looking at the
port_proto member. That should be all you need?
Cheers,
Christian.