I am trying to identify connections with the same source host and destination host/port occuring at the same time. My plan is to examine each connection_established event. I’ve created a table the pairs up those 3 items and when the event fires it looks to see if the pair exists. If it does, I want to tag a bol value that I have added to the conn record to mark it as a duplicate. When the connection closes, it takes information about both connections and records them into a new log file. I have attached my code below. My problem is that I get a "field value missing [simultanious::c$conn] on line 75 (c$conn$duplicate = T). If I move the command to the connection_closed event it works fine but that is to late.
Ideas?
Thanks,
Troy
local.bro
Add a field to the connection log record.
redef record Conn::Info += {
Indicate if the originator of the connection is part of the
“private” address space defined in RFC1918.
duplicate: bool &default=F ;
};
type tmp : record
{
Timestamp of the event
ts : time &log;
#source Port
orig_p : count &log;
#UID
uid : string &log;
};
Add a field to the connection log record.
redef record Conn::Info += {
Indicate if the originator of the connection is part of the
“private” address space defined in RFC1918.
tmp_duplicate: tmp &optional;
};
@load simultanious
simultanious.bro
module simultanious;
export
{
redef enum Log::ID += { LOG };
#Data structure for final record to record
type Info : record
{
Timestamp of the event
ts : time &log;
Source IP Host address
orig_h : addr &log;
Destination IP Host address
resp_h : addr &log;
#Destination Port
resp_p : count &log;
#Protocol
proto : transport_proto &log;
#First Connection Timestamp
first_ts : time &log;
#First UID
first_uid : string &log;
#First originating port
first_orig_p : count &log &optional;
#Second Connection Timestamp
second_ts : time &log;
#Second UID
second_uid : string &log;
#Second Pack orig_p : string &log;
second_orig_p : count &log &optional;
};
type tmp : record
{
Timestamp of the event
ts : time &log;
#source Port
orig_p : count &log;
#UID
uid : string &log;
};
#Table of hosts that are currently being tracked
#Order is source IP address with a sub table of destination IP and port
global current_connections : table [addr, addr, port] of tmp;
#And event that can be handled to access the :bro:type:SimultaniousConnections::Info
##record as it is sent on to the logging framework
global log_duplicate_connections : event(rec: Info);
#List of subnets to monitor
global monitor_subnets : set[subnet] = { 192.168.1.0/24, 192.68.2.0/24, 172.16.0.0/20, 172.16.16.0/20, 172.16.32.0/20, 172.16.48.0/20 };
#List of ports to monitor
global monitor_ports : set [port] = { 443/tcp, 80/tcp, 8080/tcp, 22/tcp};
}
event bro_init()
{
Create the logging stream
Log::create_stream(LOG, [$columns=Info, $path=“simultanious_conn”]);
}
event connection_established(c: connection)
{
#Check to see if there is already an entry for the connection string in the table
if ([c$id$orig_h, c$id$resp_h, c$id$resp_p] in current_connections)
{
#There is a duplicate record
#duplicate_host = T;
c$conn$duplicate = T;
c$conn$tmp_duplicate$ts = current_connections[c$id$orig_h, c$id$resp_h, c$id$resp_p]$ts;
c$conn$tmp_duplicate$orig_p = current_connections[c$id$orig_h, c$id$resp_h, c$id$resp_p]$orig_p;
c$conn$tmp_duplicate$uid = current_connections[c$id$orig_h, c$id$resp_h, c$id$resp_p]$uid;
print fmt(“dup - %s %s %s %s”, c$uid, c$id$orig_h, c$id$resp_h, c$id$resp_p);
}
else
{
local temp_record : tmp = [$ts=c$start_time, $orig_p=port_to_count(c$id$orig_p), $uid=c$uid];
current_connections[c$id$orig_h, c$id$resp_h, c$id$resp_p]=temp_record;
print fmt(“no dup - %s %s %s %s”, c$uid, c$id$orig_h, c$id$resp_h, c$id$resp_p);
}
}
event connection_state_remove(c: connection)
{
if (c$conn$duplicate && c$duration > 1min)
{
print fmt(“end of record dup %s %s %s %s %s”, c$uid, c$id$orig_h, c$id$resp_h, c$id$resp_p, c$conn$tmp_duplicate);
#Log::write (simultanious::LOG, temp_working_record);
}
else
{
print fmt(“end of packet no dup - %s %s %s %s”, c$uid, c$id$orig_h, c$id$resp_h, c$id$resp_p);
}
}