i'm currently tying to develop a script for a project scenario and i would like to know if there are some more efficient approaches and/or solutions for the current problem.
The main task is defined as logging all connections and connection-attempts occuring after a certain daytime.
At the moment i'm using the functions provided by the script located in base/protocols/conn/main.bro and the following events:
- content_gap //not sure about this one
Now i got stuck with a few questions:
1. Are those events enough to track every connection being established after a certain daytime? Or do i need additional events?
2. Why does the ../conn/main.bro script fill the c$conn-attributes from Conn::Info (function set_conn()), if bro provides them automatically after an event is removed from memory?
3. If i do include other scripts (e.g. base/protocols/dns) why are the records still missing in a connection-object provided by the connection_state_remove()-event?
I think it makes sense if there is a dns-event and the ssl-record is missing, but even if its a dns-event, there is still no dns-record with additional data about the connection. Am i missing something? Do i have to them by myself by using Bro-Functions?
4. Is it possible to determine how much data was transfered by a specific connection while it is still kept in memory? As an example: Connection was seen at a certain time and finished 10 seconds later. Is it possible to determine the send bytes or protocol 5 seconds after initiation?