[Bro] Bro Traffic analysis flow shunting questions
seth at corelight.com
Tue Feb 20 13:58:03 PST 2018
On 20 Feb 2018, at 12:46, Drew Dixon wrote:
> - In addition to "ordinary" elephant flows, I'm also interested in
> out large video streaming services (netflix, hulu, prime video, hbogo,
> vimeo, etc.) which do not have analysis value, first I'm wondering
> any of this get picked up in the bulk transfer/flow detection already
> into the existing conn-bulk.bro script detection?
You may just want to do some traffic filtering by address space if
you're looking to cut out those sort of known high volume hosts.
> - Is the use of dumbno <https://github.com/ncsa/dumbno> with
> bro-react/conn-bulk.bro for detection and shunting of bulk
> transfers/elephant flows relevant still considering bro-netcontrol
I wrote a script a while ago for detecting "bursty connections":
This script has very low overhead on Bro and has been running at a few
sites for a while and appears to be doing a good job of detecting and
logging bursting connections. You can run the script to get a
conn_burst.log, the script doesn't change any traffic monitoring policy
as it is now so it should be safe to load in any environment. It should
be installed through the Bro package manager too.
> Are these viewed as plugins/backends for bro-netcontrol? I believe
> bro-netcontrol also has some shunting (built in?) is any of
> dumbno/conn-bulk.bro built into bro-netcontrol already, or is further
> configuration required to setup dumbno/conn-bulk.bro with net-control?
I wouldn't view these sort of scripts as plugins to netcontrol. They
are really scripts that *use* netcontrol. Plugins to netcontrol are
only to integrate with the network equipment for implementing whatever
control change you want to take effect on the network. We do need to
add some more scripts to netcontrol for things like connection shunting.
I think there is one for flow shunting right now, but not for
> Assuming nothing exists, would it be plausible to leverage the ssl.log
> domain name
> metadata to do the detection piece for this, then pulling out the
> info to insert shunting ACL's via the packet broker API?
The better option might be to shunt connections after the
"ssl_established" event has fired. That way you get the benefit across
all ssl/tls traffic. I would still look more toward static packet
filters if you want to cut out the majority of traffic to these sort of
known high volume sites though.
I think we're still suffering from a bit of an adoption lag with
netcontrol so there is a lack of people to provide first hand
experiences right now. This should be getting rectified soon as I have
some work small integration tasks to take care of with netcontrol which
should clear up some of this.
Seth Hall * Corelight, Inc * www.corelight.com
More information about the Bro