[Bro] Bro connections v. NetFlow

James Lay jlay at slave-tothe-box.net
Fri Sep 2 15:57:38 PDT 2016


On 2016-08-30 11:03, James Lay wrote:
> On 2016-08-30 10:53, Seth Hall wrote:
>>> On Aug 30, 2016, at 12:44 PM, Michał Purzyński 
>>> <michalpurzynski1 at gmail.com> wrote:
>>> 
>>> Have you tested it with loooots of connections? How hard it is on the 
>>> memory and CPU?
>> 
>> It hasn't been tested very extensively, but I wouldn't expect it to
>> have much trouble with either memory or CPU since it's just riding on
>> top of the existing connection state mechanism.
>> 
>>   .Seth
>> 
>> --
>> Seth Hall
>> International Computer Science Institute
>> (Bro) because everyone has a network
>> http://www.bro.org/
>> 
>> 
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> 
> Imma test this out Seth thank you...I'll report findings here.
> 
> James

Yea this worked well:

#separator \x09
#set_separator  ,
#empty_field    (empty)
#unset_field    -
#path   conn_long
#open   2016-09-02-13-33-11
#fields ts      uid     id.orig_h       id.orig_p       id.resp_h       
id.resp_p       proto   service duration        orig_bytes      
resp_bytes      conn_state      local_orig      local_resp      
missed_bytes    history orig_pkts       orig_ip_bytes   resp_pkts       
resp_ip_bytes   tunnel_parents
#types  time    string  addr    port    addr    port    enum    string  
interval        count   count   string  bool    bool    count   string  
count   count  count    count   set[string]
1472843591.734071       CVFKX14EPP6mzgoKta      192.168.1.3     61648   
172.217.3.174   443     tcp     -       1193.913203     0       23239   
OTH     T      F0       had     0       0       565     52825   (empty)

I see this in the script\main.bro:

## The default duration that you are locally
## considering a connection to be "long".
const default_durations = Durations(10min, 30min, 1hr, 12hr, 24hrs, 
3days) &redef;

I'd like to see an example of redefing this to a different time.  Also, 
a whitelist of IP's not to be included would be next.  I have a lot of 
use cases...truth be told I'm "kind of" doing something similar with 
grep/sed/awk and the current conn_log for tracking "unusual" long 
sessions.  For example, a netblock, say 172.16.1.0/24 is dedicated to 
VPN connections, which I expect to be longer as they are a constant 
session, so i'd want to ignore those in my conn_long file.  Thanks Seth!

James


More information about the Bro mailing list