[Bro-Dev] Per connection byte and packet counting
Seth Hall
seth at icir.org
Wed Dec 8 12:56:12 PST 2010
On Dec 8, 2010, at 3:46 PM, Seth Hall wrote:
> That should be accessible from the core (since size and state are currently being filled in from the core) and it makes it available at arbitrary times since it's in the connection record.
Oh, and it would be awesome if it was possible to use these values in "when" statements. Currently, these endpoint record values can't be used in when statements, but it would make for really simple code in some cases. For example, in my ssh-ext script I have to set timers to regularly check back into connections to see if a byte threshold has been crossed like this:
event ssh_watcher(c: connection)
{
local id = c$id;
# don't go any further if this connection is gone already!
if ( !connection_exists(id) )
{
delete active_ssh_conns[id];
return;
}
# run the code to check the size of the connection
event check_ssh_connection(c, F);
if ( c$id in active_ssh_conns )
schedule +15secs { ssh_watcher(c) };
}
event protocol_confirmation(c: connection, atype: count, aid: count)
{
if ( atype == ANALYZER_SSH )
{
local tmp: ssh_ext_session_info;
active_ssh_conns[c$id]=tmp;
schedule +15secs { ssh_watcher(c) };
}
}
It would much easier to do...
event protocol_confirmation(c: connection, atype: count, aid: count)
{
if ( atype == ANALYZER_SSH )
{
when ( c$resp$counted_size > 5120 )
{
# This is a heuristically derived "successful" SSH connection.
}
}
}
Of course, I don't know why this doesn't currently work or if it's something that could even be reasonably implemented but it would be *really* nice. :) If it did work, it would be one less "gotcha" in the scripting language.
.Seth
More information about the bro-dev
mailing list