[Bro] problems with &*_expire attributes
vern at icir.org
Mon Dec 27 22:45:36 PST 2004
> i'm fighting with some problems:
> i encountered problems with the &*_expire attributes of table entries.
> it seems that they have no influence, nothing happens at all.
> i wrote the policy script below (don't ask for the purpose of this
> script, i just wrote it to learn bro) and i thought it should alarm more
> than once, if a host contacts unreachable hosts after a while. well, it
> does it only once and the function test is never called:
> > 1103883009.796358 TRWAddressScan x.x.x.x scanned a total of 4 hosts
> > 1103883009.796358 x.x.x.x connected 10 unreachable hosts
> > 1103883010.358487 AddressScan x.x.x.x has scanned 100 hosts (ftp-data)
> > 1103883010.358487 x.x.x.x connected 100 unreachable hosts
> > 1103883013.343568 x.x.x.x connected 1000 unreachable hosts
> > 1103883013.343568 AddressScan x.x.x.x has scanned 1000 hosts (ftp-data)
> > 1103883036.284724 TRWScanSummary x.x.x.x scanned a total of 4 hosts
What do you mean it should "alarm more than once"? It is indeed generating
multiple alarms (10 unreachable, 100 unreachable, 1000 unreachable).
Also, you need to clarify why would you expect "test" to be called.
All of the expirations you set:
> > global failed_connection_counter: table[addr] of count &read_expire=30sec
> > &write_expire=30sec &create_expire=30sec &expire_func=test;
are for 30 seconds after the last of different types of activity, yet the
timestamps of the alarm output you show span just a few seconds, so this
doesn't appear to be enough time for any of the expirations to occur.
More information about the Bro