[Bro-Dev] #724: Changing semantics of ConnSizeAnalyzer

Bro Tracker bro at tracker.bro-ids.org
Wed Dec 14 12:58:47 PST 2011

#724: Changing semantics of ConnSizeAnalyzer
 Reporter:  seth     |      Owner:
     Type:  Problem  |     Status:  new
 Priority:  High     |  Milestone:  Bro2.0
Component:  Bro      |    Version:
 Keywords:           |
 I think we should change what the conn size analyzer is measuring.  It
 currently measures the size of the connection from the IP header down (or
 up, depending on how you look at it).  From my perspective that data is
 rarely (if ever?) useful.  What is more useful is a counted value for the
 connection size.  c$(orig|resp)$size takes it's measurement from sequence
 counting and can get confused in some cases (chinese firewall sending RST
 packets for instance).

 This is the patch I'm proposing:

 diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro
 index 859a69f..21a9b60 100644
 --- a/scripts/base/init-bare.bro
 +++ b/scripts/base/init-bare.bro
 @@ -66,10 +66,10 @@ type endpoint: record {

         ## Number of packets on the wire
         ## Set if :bro:id:`use_conn_size_analyzer` is true.
 -       num_pkts: count &optional;
 -       ## Number of IP-level bytes on the wire
 +       counted_pkts: count &optional;
 +       ## Number of content bytes on the wire
         ## Set if :bro:id:`use_conn_size_analyzer` is true.
 -       num_bytes_ip: count &optional;
 +       counted_bytes: count &optional;

  type endpoint_stats: record {
 diff --git a/src/ConnSizeAnalyzer.cc b/src/ConnSizeAnalyzer.cc
 index a1b892f..5d0efcd 100644
 --- a/src/ConnSizeAnalyzer.cc
 +++ b/src/ConnSizeAnalyzer.cc
 @@ -39,12 +39,12 @@ void ConnSize_Analyzer::DeliverPacket(int len, const
 u_char* data, bool is_orig,

         if ( is_orig )
 -               orig_bytes += ip->TotalLen();
 +               orig_bytes += len;
                 orig_pkts ++;
 -               resp_bytes += ip->TotalLen();
 +               resp_bytes += len;
                 resp_pkts ++;

 If no one has a problem with this, I'd like to make the change for the 2.0
 release because I'm having trouble currently with counting bytes for the
 SSH analyzer and we're getting more false positives than we should be

Ticket URL: <http://tracker.bro-ids.org/bro/ticket/724>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker

More information about the bro-dev mailing list