[Bro] Large outbound transfer

Siwek, Jonathan Luke jsiwek at illinois.edu
Wed Mar 26 08:35:29 PDT 2014

On Mar 25, 2014, at 10:31 PM, scott mcallester <scott at 0x4c.com> wrote:

> I have, but it uses the connection_state_remove event, and the more I think about it, the more I think it wouldn't work.
> If someone manages to gain access to our file server, zips up 10-20gb of our files and starts transferring this out, I dont think this event would fire until the connection closes, which would be too late,

If you need to take actions based on conditions of an ongoing connection, you can possibly use the ConnPolling [1] module to do it.  An example usage of it is a gridftp detection script that ships w/ Bro [2].

- Jon

[1] http://bro.org/sphinx/scripts/base/protocols/conn/polling.html
[2] http://bro.org/sphinx/scripts/base/protocols/ftp/gridftp.html

More information about the Bro mailing list