[Bro] Notice on duration
jlay at slave-tothe-box.net
Mon Mar 21 11:12:34 PDT 2016
On 2016-03-21 10:06, Vlad Grigorescu wrote:
> Hi James,
> James Lay <jlay at slave-tothe-box.net> writes:
>> I've been tasked with seeing about getting an alert of some kind when
>> session (tcp/udp/icmp) lasts longer then a certain time. Is this
>> something well suited for bro...?
> It should be. Check out ConnPolling:
> This is a little-known feature that hasn't seen much use, but I'd be
> very interested if you get this working for your use-case. So far, it's
> been used to look for large (or fast) connections, such as:
Thanks Vlad...I'll give this a go.
More information about the Bro