[Bro] processing many files with bro
estrada.veronica at gmail.com
Wed Mar 10 09:15:29 PST 2010
Thanks everyone for the answers,
My original question was connected with a second problem. I am trying
a summary of wrong fragments to the corresponding line in the connection
To avoid the same connection becoming split and analyzed in different bro
runs, I will go for second option as you suggested me. After that, I will
have the majority of connections summarize in the same conn.bro file. But
after solving this, I am still confused about how to associate the wrong
fragment count with its corresponding connection logged in conn.bro
To my understand, wrong fragments are generated in the flow_weird event and
they don´t have associated a c$id, only src and dst address.
1. How can I check the connection that generated that wrong fragment event?
2. Should I assign the fragment to the last connection registered in the
conn.bro who has connection initiation time before the fragment I want to
count? I don´t think this is enough. For instance, if two different
connections between A-B are active I cannot distinguish them.
Besides, I read about active and pasive timeouts on connections (Flow-based
TCP Connection Analysis by Limmer and Dressler).
I don´t understand how this topic is treated in BRO. Since I can only find
only one type of timeout (tcp_inactivity_timeout). Is this timeout the
active timeout? I think probably there are others timeout such as handshake
timeouts that I am missing.
Maybe I am getting into the details of bro design, I want to understand what
I am doing, and what I shouldn´t do to get the wrong fragment count inside
the conn.bro file.
Sorry, maybe I should open another thread with this e-mail. I was not sure
how to deal with it.
The University of Tokyo
On Thu, Mar 11, 2010 at 1:30 AM, Robin Sommer <robin at icir.org> wrote:
> On Wed, Mar 10, 2010 at 23:46 +0900, Veronica Estrada wrote:
> > The other solution. I know that split pcap files can be merged in one
> > file, but I will have problems with memory, and bro may crash if it has a
> > limitation for processing big size pcap file.
> That's probably the best solution and you can do it on the fly: have
> your merge tool (e.g., tcpslice) write to stdout and Bro read from
> stdin with "-r -". The effect on memory will indeed be that of one
> large pcap file but if that causes trouble, you should to tweak the
> Bro configuration.
> Using &persistent is unlikely to do what you want as it stores only
> script-level state, not internal state for connections that cross
> file boundaries.
> Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org
> ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro