[Bro] Notice on duration

Vlad Grigorescu vladg at illinois.edu
Mon Mar 21 09:06:02 PDT 2016


Hi James,

James Lay <jlay at slave-tothe-box.net> writes:

> I've been tasked with seeing about getting an alert of some kind when a 
> session (tcp/udp/icmp) lasts longer then a certain time.  Is this 
> something well suited for bro...?

It should be. Check out ConnPolling:

https://www.bro.org/sphinx/scripts/base/protocols/conn/polling.bro.html

This is a little-known feature that hasn't seen much use, but I'd be
very interested if you get this working for your use-case. So far, it's
been used to look for large (or fast) connections, such as:

https://github.com/JustinAzoff/bro-react/blob/master/conn-bulk.bro

  --Vlad
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 800 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160321/6d78f6e3/attachment.bin 


More information about the Bro mailing list