[Bro] Bro connections v. NetFlow
jlay at slave-tothe-box.net
Fri Sep 2 15:57:38 PDT 2016
On 2016-08-30 11:03, James Lay wrote:
> On 2016-08-30 10:53, Seth Hall wrote:
>>> On Aug 30, 2016, at 12:44 PM, Michał Purzyński
>>> <michalpurzynski1 at gmail.com> wrote:
>>> Have you tested it with loooots of connections? How hard it is on the
>>> memory and CPU?
>> It hasn't been tested very extensively, but I wouldn't expect it to
>> have much trouble with either memory or CPU since it's just riding on
>> top of the existing connection state mechanism.
>> Seth Hall
>> International Computer Science Institute
>> (Bro) because everyone has a network
>> Bro mailing list
>> bro at bro-ids.org
> Imma test this out Seth thank you...I'll report findings here.
Yea this worked well:
#fields ts uid id.orig_h id.orig_p id.resp_h
id.resp_p proto service duration orig_bytes
resp_bytes conn_state local_orig local_resp
missed_bytes history orig_pkts orig_ip_bytes resp_pkts
#types time string addr port addr port enum string
interval count count string bool bool count string
count count count count set[string]
1472843591.734071 CVFKX14EPP6mzgoKta 192.168.1.3 61648
184.108.40.206 443 tcp - 1193.913203 0 23239
OTH T F0 had 0 0 565 52825 (empty)
I see this in the script\main.bro:
## The default duration that you are locally
## considering a connection to be "long".
const default_durations = Durations(10min, 30min, 1hr, 12hr, 24hrs,
I'd like to see an example of redefing this to a different time. Also,
a whitelist of IP's not to be included would be next. I have a lot of
use cases...truth be told I'm "kind of" doing something similar with
grep/sed/awk and the current conn_log for tracking "unusual" long
sessions. For example, a netblock, say 172.16.1.0/24 is dedicated to
VPN connections, which I expect to be longer as they are a constant
session, so i'd want to ignore those in my conn_long file. Thanks Seth!
More information about the Bro