Hey all,
I've been tasked with seeing about getting an alert of some kind when a session (tcp/udp/icmp) lasts longer then a certain time. Is this something well suited for bro, or should I go looking at something like ntop-ng instead? Thank you.
James
Hi James,
James Lay <jlay@slave-tothe-box.net> writes:
I've been tasked with seeing about getting an alert of some kind when a
session (tcp/udp/icmp) lasts longer then a certain time. Is this
something well suited for bro...?
It should be. Check out ConnPolling:
https://www.bro.org/sphinx/scripts/base/protocols/conn/polling.bro.html
This is a little-known feature that hasn't seen much use, but I'd be
very interested if you get this working for your use-case. So far, it's
been used to look for large (or fast) connections, such as:
--Vlad
Thanks Vlad...I'll give this a go.
James