UDP long running "connections"

Ankith_Kumar_Hanuman · September 17, 2020, 7:43pm

I’m using Zeek 3.1.5.

I need to monitor long running UDP “connections”, some lasting two or three days. If I understand correctly, Zeek only logs UDP connections in conn.log on the connection termination. I would also like to log the start of the connection in conn.log.

Any suggestions on how to start with this?

Thanks

Gary

: : : : : : : : : : : : : : : : : : : : : : : : : : :

Gary Huband
Sr. Software and Systems Engineer

Office: 434.284.8071 x720
Direct: 434.260.4995
Gary@MissionSecure.com

: : : : : : : : : : : : : : : : : : : : : : : : : : :

This email and any files transmitted with it are confidential and proprietary and intended solely for the use of the individual or entity to whom they are addressed. Any dissemination, distribution or copying of this communication is strictly prohibited without our prior permission. If you received this in error, please contact the sender and delete the material from any computer.

Christian · September 17, 2020, 8:43pm

Take a look at this Zeek package, Gary:

https://github.com/corelight/bro-long-connections

It lets you configure time durations at which it'll log connections to a new log, conn_long.

If you use Zeek 3.2, you'll see improved memory usage when using it.

Best,
Christian

Ankith_Kumar_Hanuman · September 17, 2020, 9:44pm

https://github.com/activecm/rita might help you hunt these as well.
Mike

Topic		Replies	Views
Long running connection using threshold Zeek	3	132	May 6, 2022
About zeek packet capture data writing time Zeek	4	424	December 15, 2022
Zeek conn.log questions Zeek	2	363	May 6, 2022
Long session detection script available in zeek ? Zeek	3	104	May 6, 2022
Zeek monitoring Zeek	1	89	May 6, 2022

UDP long running "connections"

Related topics