is it possible that below described statement can be crafted into a bro script ?
Plz help me if it is possible, let me know what i need to do, to make this possible.
If my incoming traffic rate exceeds 44Mbps and the average incoming traffic rate over the last 504seconds exceeds the average incoming traffic rate over the last 965seconds by more than 70%, send an alert
Thank you Everyone.
MeetGill
Hi,
this is actually a bit difficult - there is a function that you can call
regularly to get you information about the number of packets/bytes that
Bro received (get_net_stats); if you call this every second or so, you can
determine traffic rates. However, it does not split things out by
incoming/outgoing connections.
Apart from that the only other idea I have is to use the packet-level
events and count things manually - however, this will have quite a
performance impact.
I might be missing an obvious solution I am not thinking about here
though.
Johanna
You could do this with sumstats... you just have to do a bunch of math... and be happy with an average over a longer period of time. Since you only have to observe two counts, it actually wouldn't be that bad. Just observe the sum of the ip bytes based on which direction the traffic is in.... I could probably write an example script sometime tonight.
Alternatively--and I have no idea what the performance impact of this would be... you could use connection polling: https://www.bro.org/sphinx/scripts/base/protocols/conn/polling.bro.html