[Bro] Notice on duration

Vlad Grigorescu vladg at illinois.edu
Mon Mar 21 09:06:02 PDT 2016

Hi James,

James Lay <jlay at slave-tothe-box.net> writes:

> I've been tasked with seeing about getting an alert of some kind when a 
> session (tcp/udp/icmp) lasts longer then a certain time.  Is this 
> something well suited for bro...?

It should be. Check out ConnPolling:


This is a little-known feature that hasn't seen much use, but I'd be
very interested if you get this working for your use-case. So far, it's
been used to look for large (or fast) connections, such as:


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 800 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160321/6d78f6e3/attachment.bin 

More information about the Bro mailing list