Long running connection using threshold

Petr_Medonos · March 31, 2020, 7:23pm

Hi,
I tried to write simple script to detect long running connection using
zeek (3.0) threshold. I set duration in connection established event and
then using duration_threshold_crossed logged connection above the limit.
But Notice log is then flooded with every new established connection.
Simple PoC bellow. Did I missed something? Is there any better way to
detect long running connection? I tried Corelight bro-long-connections
but there is lot overhead in my environment. Thanks for pointing me the
right way!

Jon_Siwek · April 6, 2020, 8:43pm

Hi Petr,

Your example code looked correct to me, but I found what simply looked
like a bug in the connection thresholding code that did the duration
comparison in reverse of what it should. Here's my proposed patch:
https://github.com/zeek/zeek/pull/899

- Jon

Petr_Medonos · April 8, 2020, 4:20pm

Hi Jon,
thanks for the fix. Works like a charm!

Topic		Replies	Views
UDP long running "connections" Zeek	3	100	May 6, 2022
About zeek packet capture data writing time Zeek	4	324	December 15, 2022
Zeek monitoring Zeek	1	57	May 6, 2022
Connections and Crossed_Threshold-Event Zeek	1	70	May 6, 2022
Notice on duration Zeek	3	56	May 6, 2022

Long running connection using threshold

Related Topics