[Bro] Large outbound transfer
Siwek, Jonathan Luke
jsiwek at illinois.edu
Wed Mar 26 08:35:29 PDT 2014
On Mar 25, 2014, at 10:31 PM, scott mcallester <scott at 0x4c.com> wrote:
> I have, but it uses the connection_state_remove event, and the more I think about it, the more I think it wouldn't work.
> If someone manages to gain access to our file server, zips up 10-20gb of our files and starts transferring this out, I dont think this event would fire until the connection closes, which would be too late,
If you need to take actions based on conditions of an ongoing connection, you can possibly use the ConnPolling  module to do it. An example usage of it is a gridftp detection script that ships w/ Bro .
More information about the Bro