[Bro] Bro connections v. NetFlow
seth at icir.org
Tue Sep 6 07:31:18 PDT 2016
> On Sep 2, 2016, at 6:57 PM, James Lay <jlay at slave-tothe-box.net> wrote:
> const default_durations = Durations(10min, 30min, 1hr, 12hr, 24hrs,
> 3days) &redef;
> I'd like to see an example of redefing this to a different time.
redef LongConnection::default_durations = LongConnection::Durations(30sec, 1min, 1hr, 10hrs, 1day);
> Also, a whitelist of IP's not to be included would be next. I have a lot of
> use cases...truth be told I'm "kind of" doing something similar with
> grep/sed/awk and the current conn_log for tracking "unusual" long
Except that you unfortunately aren't seeing connections "live" before the connection has completed.
> For example, a netblock, say 172.16.1.0/24 is dedicated to
> VPN connections, which I expect to be longer as they are a constant
> session, so i'd want to ignore those in my conn_long file.
Ah, interesting point. It sort of sounds like you're starting to use the log for detection with this change though. Are you sure you want to do that? Would it make more sense if we added some other behavior that actually detected something that you're interested in? Alternately you could use a logging filter that filters out connections involving the hosts on your VPN. Here's one you can start with....
const ignore_for_long_connections: set[subnet] &redef;
local filt = Log::get_filter(LongConnection::LOG, "default");
filt$pred = function(rec: Conn::Info): bool
return rec$id$orig_h !in ignore_for_long_connections &&
rec$id$resp_h !in ignore_for_long_connections;
International Computer Science Institute
(Bro) because everyone has a network
More information about the Bro