[Bro] Bro connections v. NetFlow

Seth Hall seth at icir.org
Tue Sep 6 07:31:18 PDT 2016

> On Sep 2, 2016, at 6:57 PM, James Lay <jlay at slave-tothe-box.net> wrote:
> const default_durations = Durations(10min, 30min, 1hr, 12hr, 24hrs, 
> 3days) &redef;
> I'd like to see an example of redefing this to a different time.

redef LongConnection::default_durations = LongConnection::Durations(30sec, 1min, 1hr, 10hrs, 1day);

>  Also, a whitelist of IP's not to be included would be next.  I have a lot of 
> use cases...truth be told I'm "kind of" doing something similar with 
> grep/sed/awk and the current conn_log for tracking "unusual" long 
> sessions.

Except that you unfortunately aren't seeing connections "live" before the connection has completed.

>  For example, a netblock, say is dedicated to 
> VPN connections, which I expect to be longer as they are a constant 
> session, so i'd want to ignore those in my conn_long file.

Ah, interesting point.  It sort of sounds like you're starting to use the log for detection with this change though.  Are you sure you want to do that?  Would it make more sense if we added some other behavior that actually detected something that you're interested in?  Alternately you could use a logging filter that filters out connections involving the hosts on your VPN.  Here's one you can start with....

const ignore_for_long_connections: set[subnet] &redef;
event bro_init()
	local filt = Log::get_filter(LongConnection::LOG, "default");
	filt$pred = function(rec: Conn::Info): bool 
		return rec$id$orig_h !in ignore_for_long_connections && 
		       rec$id$resp_h !in ignore_for_long_connections; 
	Log::add_filter(LongConnection::LOG, filt);


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

More information about the Bro mailing list