Notice on duration

James_inthe_box · March 18, 2016, 9:47pm

Hey all,

I've been tasked with seeing about getting an alert of some kind when a session (tcp/udp/icmp) lasts longer then a certain time. Is this something well suited for bro, or should I go looking at something like ntop-ng instead? Thank you.

James

Vlad_Grigorescu3 · March 21, 2016, 4:06pm

Hi James,

James Lay <jlay@slave-tothe-box.net> writes:

I've been tasked with seeing about getting an alert of some kind when a
session (tcp/udp/icmp) lasts longer then a certain time. Is this
something well suited for bro...?

It should be. Check out ConnPolling:

https://www.bro.org/sphinx/scripts/base/protocols/conn/polling.bro.html

This is a little-known feature that hasn't seen much use, but I'd be
very interested if you get this working for your use-case. So far, it's
been used to look for large (or fast) connections, such as:

github.com

JustinAzoff/bro-react/blob/master/conn-bulk.bro

##! A detection script for Bulk Flows

@load base/protocols/conn

module Bulk;

export {
    ## Number of bytes transferred before marking a connection as bulk
    const size_threshold = 134217728 &redef; #128 megabytes

    ## Max number of times to check whether a connection's size exceeds the
    ## :bro:see:`Bulk::size_threshold`.
    const max_poll_count = 30 &redef;

    ## Base amount of time between checking whether a data connection
    ## has transferred more than :bro:see:`Bulk::size_threshold` bytes.
    const poll_interval_1 = 500msec &redef;
    const poll_interval_2 = 30sec &redef;

    ## Raised when a Bulk data channel is detected.

This file has been truncated. show original

--Vlad

James_inthe_box · March 21, 2016, 6:12pm

Thanks Vlad...I'll give this a go.

James

Topic		Replies	Views
Quick question on conn tracking Zeek	8	92	May 6, 2022
Connection lasts huge time Zeek	2	71	May 6, 2022
Bro bug? Zeek	10	91	May 6, 2022
TCP Conn Log Zeek	3	90	May 6, 2022
Timers in Bro Zeek	2	63	May 6, 2022

Notice on duration

Related topics