[Bro-Dev] Per connection byte and packet counting

Gregor Maier gregor at icir.org
Wed Dec 8 14:34:01 PST 2010 

On 12/8/10 12:56 , Seth Hall wrote:
> 
> On Dec 8, 2010, at 3:46 PM, Seth Hall wrote:
> 
>> That should be accessible from the core (since size and state are currently being filled in from the core) and it makes it available at arbitrary times since it's in the connection record.
> 
> Oh, and it would be awesome if it was possible to use these values in "when" statements.  Currently, these endpoint record values can't be used in when statements, but it would make for really simple code in some cases.  For example, in my ssh-ext script I have to set timers to regularly check back into connections to see if a byte threshold has been crossed like this:
> 
> [...]
>

Hmm. Actually this currently only works for connection records due to
the way the connection record is allocated in the event engine. Each
connection instance (C++ class instance) has a conn_val Val* that get's
allocated once is then updated and passed to each event. If you save
this record in the policy layer, it will get updated "in the background"
by the event engine. However, it will only be updated if the event
engine calls BuildConnVal(), which is in general only done if a event
for this connection is generated. So, if the protocol_confirmation()
event is the only event for this connection that's generated, then the
connection value would not be updated.

Note, that somebody could also generate a connection event and just pass
a newly allocated connection record to it. I this case, the above
approach would also break (e.g., if you use this connection record
further down the line, it would never changes its values).

> It would much easier to do...
> [...]

> 
> Of course, I don't know why this doesn't currently work or if it's something that could even be reasonably implemented but it would be *really* nice. :)  If it did work, it would be one less "gotcha" in the scripting language.
> 

(partially guessing, since I haven't dug too deep into how "when"
statements work).

I think the problem is that the connection record (and thus the conn_id)
is only valid in the scope of the function. The when statement clones
the local stack frame. So for everything that's in the local scope, you
only get a static copy. I think this would work, if you keep a global
table with "conn_ids_to_watch", add the conn_id to this table and then
use the table for the "when" statement. Maybe this code works:

table conns_to_watch[conn_id] of connection;

event protocol_confirmation(c: connection, atype: count, aid: count)
{
   if ( atype == ANALYZER_SSH )
       {
       conns_to_watch[c$id] = c
       when ( conns_to_watch[c$id]$resp$counted_size > 5120 )
           {
           # ....
           }
       }
}

You probably don't need to save to full connection record in the table.
I'm not sure what happens when the connection get's removed before then
when triggers.....


cu
Gregor
-- 
Gregor Maier                                             gregor at icir.org
Int. Computer Science Institute (ICSI)          gregor at icsi.berkeley.edu
1947 Center St., Ste. 600                    http://www.icir.org/gregor/
Berkeley, CA 94704
USA

More information about the bro-dev mailing list