[Bro-Dev] metrics framework

Matthias Vallentin vallentin at icir.org
Mon May 9 09:14:06 PDT 2011 

> I'd appreciate if you guys took a look at the metrics framework and
> let me know what you think about it.  

I'd love to do so, yet my cycles only allow for brief inline feedback.

> Currently, in the metrics framework a metric is just a key or keys
> that is connected to a number which is collected over some interval
> before being written to disk and reset.  

If it is really just a sequence of number, why not calling it time
series? The word metric (in networking) implies some sort of property of
a path, and more generally, some sort of performance measure. This would
also make more sense in the statistical context, where a time series
analysis is well-defined field of its own. I prefer this term not only
because I have taken a statistics course, but mainly because it is more
neutral, maybe even more general, since it only describes the format of
the data.

> The way this will work (I think) is that the manager will handle the
> break interval (the time between metrics collection/logging and reset)
> and it will send a metrics collection event to the workers which will
> send their metrics data to the manager where the data from each worker
> will be added together and logged.  This would essentially act as a
> lazy synchronization technique.

To preserve the temporal ordering, timestamps need to be part of the
synchronization game. It looks like a mergeable table indexed by
timestamp will do the trick.

> - Missing statistical support.  I want to be able to define when
> notices should happen based on rate of change of a metric (per the
> break interval) increasing much faster than you think it should (SSH
> failed logins).  There's probably a lot of other stuff in this area I
> haven't thought of.

There's a whole subfield of statistics waiting for you. The natural
question is much of this should be in Bro versus offline log munging.
Clearly you're talking Bro. It seems would you would like to have is a
variance analysis on a detrended series (i.e., on the first-order
differences between two data points). Other analyses would be to check
for seasonal components.

> - I need to write a command line tool to convert the log into
> something that Graphviz can understand because I'd like to be able to
> generate time-series graphs from these metrics really easily.

Why not use R? It is brilliant time series support! (And there exist
also scripting language bindings if you really want a separate tool. I
tested the Ruby bindings once and they work well.)

> 2. HTTPS requests per host header (using a new SSL analyzer that
> provides the information from the SSL establishment), this is an
> example of a non-IP address based metric too.

Along those lines, one could (mis)use this new framework to count the
number of unique certificates per host as crude way to identify TLS
MITM attacks.

    Matthias

More information about the bro-dev mailing list