[Bro] Bro Traffic analysis flow shunting questions

Seth Hall seth at corelight.com
Tue Feb 20 13:58:03 PST 2018

On 20 Feb 2018, at 12:46, Drew Dixon wrote:

> - In addition to "ordinary" elephant flows, I'm also interested in 
> shunting
> out large video streaming services (netflix, hulu, prime video, hbogo,
> vimeo, etc.) which do not have analysis value, first I'm wondering 
> would
> any of this get picked up in the bulk transfer/flow detection already 
> built
> into the existing conn-bulk.bro script detection?

You may just want to do some traffic filtering by address space if 
you're looking to cut out those sort of known high volume hosts.

> - Is the use of dumbno <https://github.com/ncsa/dumbno> with
> bro-react/conn-bulk.bro for detection and shunting of bulk
> transfers/elephant flows relevant still considering bro-netcontrol 
> exists?

I wrote a script a while ago for detecting "bursty connections": 

This script has very low overhead on Bro and has been running at a few 
sites for a while and appears to be doing a good job of detecting and 
logging bursting connections.  You can run the script to get a 
conn_burst.log, the script doesn't change any traffic monitoring policy 
as it is now so it should be safe to load in any environment.  It should 
be installed through the Bro package manager too.

> Are these viewed as plugins/backends for bro-netcontrol?  I believe
> bro-netcontrol also has some shunting (built in?) is any of
> dumbno/conn-bulk.bro built into bro-netcontrol already, or is further
> configuration required to setup dumbno/conn-bulk.bro with net-control?

I wouldn't view these sort of scripts as plugins to netcontrol.  They 
are really scripts that *use* netcontrol.  Plugins to netcontrol are 
only to integrate with the network equipment for implementing whatever 
control change you want to take effect on the network.  We do need to 
add some more scripts to netcontrol for things like connection shunting. 
  I think there is one for flow shunting right now, but not for 
connection shunting.

> Assuming nothing exists, would it be plausible to leverage the ssl.log 
> domain name
> metadata to do the detection piece for this, then pulling out the 
> IP/Port
> info to insert shunting ACL's via the packet broker API?

The better option might be to shunt connections after the 
"ssl_established" event has fired.  That way you get the benefit across 
all ssl/tls traffic.  I would still look more toward static packet 
filters if you want to cut out the majority of traffic to these sort of 
known high volume sites though.

I think we're still suffering from a bit of an adoption lag with 
netcontrol so there is a lack of people to provide first hand 
experiences right now.  This should be getting rectified soon as I have 
some work small integration tasks to take care of with netcontrol which 
should clear up some of this.


Seth Hall * Corelight, Inc * www.corelight.com

More information about the Bro mailing list