[Bro] Fwd: Simultaneous Connections

Troy Ward pyrodie18 at gmail.com
Thu Oct 20 20:23:41 PDT 2016


I am trying to identify connections with the same source host and
destination host/port occuring at the same time.  My plan is to examine
each connection_established event.  I've created a table the pairs up those
3 items and when the event fires it looks to see if the pair exists.  If it
does, I want to tag a bol value that I have added to the conn record to
mark it as a duplicate.  When the connection closes, it takes information
about both connections and records them into a new log file.  I have
attached my code below.  My problem is that I get a "field value missing
[simultanious::c$conn] on line 75 (c$conn$duplicate = T).  If I move the
command to the connection_closed event it works fine but that is to late.

Ideas?

Thanks,

Troy


local.bro




# Add a field to the connection log record.
redef record Conn::Info += {
    ## Indicate if the originator of the connection is part of the
    ## "private" address space defined in RFC1918.
    duplicate: bool &default=F ;
};

type tmp : record
{
# Timestamp of the event
ts : time &log;
#source Port
orig_p : count &log;
#UID
uid : string &log;
};
# Add a field to the connection log record.
redef record Conn::Info += {
    ## Indicate if the originator of the connection is part of the
    ## "private" address space defined in RFC1918.
    tmp_duplicate: tmp &optional;
};

@load simultanious



simultanious.bro

module simultanious;
export
{
redef enum Log::ID += { LOG };
#Data structure for final record to record
type Info : record
{
# Timestamp of the event
ts : time &log;
# Source IP Host address
orig_h : addr &log;
# Destination IP Host address
resp_h : addr &log;
#Destination Port
resp_p : count &log;
#Protocol
proto : transport_proto &log;
#First Connection Timestamp
first_ts : time &log;
#First UID
first_uid : string &log;
#First originating port
first_orig_p : count &log &optional;
#Second Connection Timestamp
second_ts : time &log;
#Second UID
second_uid : string &log;
#Second Pack orig_p : string &log;
second_orig_p : count &log &optional;
};
type tmp : record
{
# Timestamp of the event
ts : time &log;
#source Port
orig_p : count &log;
#UID
uid : string &log;
};
#Table of hosts that are currently being tracked
#Order is source IP address with a sub table of destination IP and port
global current_connections : table [addr, addr, port] of tmp;

#And event that can be handled to access the :bro:type:
SimultaniousConnections::Info
##record as it is sent on to the logging framework
global log_duplicate_connections : event(rec: Info);
#List of subnets to monitor
global monitor_subnets : set[subnet] = { 192.168.1.0/24, 192.68.2.0/24,
172.16.0.0/20, 172.16.16.0/20, 172.16.32.0/20, 172.16.48.0/20 };
#List of ports to monitor
global monitor_ports : set [port] = { 443/tcp, 80/tcp, 8080/tcp, 22/tcp};



}
event bro_init()
{
# Create the logging stream
Log::create_stream(LOG, [$columns=Info, $path="simultanious_conn"]);
}
event connection_established(c: connection)
{
#Check to see if there is already an entry for the connection string in the
table
if ([c$id$orig_h, c$id$resp_h, c$id$resp_p] in current_connections)
{
#There is a duplicate record
#duplicate_host = T;
c$conn$duplicate = T;
c$conn$tmp_duplicate$ts = current_connections[c$id$orig_h, c$id$resp_h,
c$id$resp_p]$ts;
c$conn$tmp_duplicate$orig_p = current_connections[c$id$orig_h, c$id$resp_h,
c$id$resp_p]$orig_p;
c$conn$tmp_duplicate$uid = current_connections[c$id$orig_h, c$id$resp_h,
c$id$resp_p]$uid;
print fmt("dup  -  %s     %s      %s      %s", c$uid, c$id$orig_h,
c$id$resp_h, c$id$resp_p);
}
else
{
local temp_record : tmp = [$ts=c$start_time,
$orig_p=port_to_count(c$id$orig_p),
$uid=c$uid];
current_connections[c$id$orig_h, c$id$resp_h, c$id$resp_p]=temp_record;
print fmt("no dup  -  %s     %s      %s      %s", c$uid, c$id$orig_h,
c$id$resp_h, c$id$resp_p);
}
}
event connection_state_remove(c: connection)
{
    if (c$conn$duplicate && c$duration > 1min)
{


print fmt("end of record dup  %s     %s      %s      %s      %s", c$uid,
c$id$orig_h, c$id$resp_h, c$id$resp_p, c$conn$tmp_duplicate);
#Log::write (simultanious::LOG, temp_working_record);
}
else
   {
   print fmt("end of packet no dup  -  %s     %s      %s      %s", c$uid,
c$id$orig_h, c$id$resp_h, c$id$resp_p);
   }
}
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161020/bccd51b5/attachment-0001.html 


More information about the Bro mailing list