[Bro-Dev] [JIRA] (BIT-724) Changing semantics of ConnSizeAnalyzer

Seth Hall (JIRA) jira at bro-tracker.atlassian.net
Sun Feb 9 21:10:37 PST 2014 

     [ https://bro-tracker.atlassian.net/browse/BIT-724?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Seth Hall updated BIT-724:
--------------------------

    Resolution: Rejected
        Status: Closed  (was: Open)

There was some contention over this and we've left it for a few releases so I think it's stuck at this point. :)

> Changing semantics of ConnSizeAnalyzer
> --------------------------------------
>
>                 Key: BIT-724
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-724
>             Project: Bro Issue Tracker
>          Issue Type: Problem
>          Components: Bro
>            Reporter: Seth Hall
>            Priority: High
>
> I think we should change what the conn size analyzer is measuring.  It currently measures the size of the connection from the IP header down (or up, depending on how you look at it).  From my perspective that data is rarely (if ever?) useful.  What is more useful is a counted value for the connection size.  c$(orig|resp)$size takes it's measurement from sequence counting and can get confused in some cases (chinese firewall sending RST packets for instance).
> This is the patch I'm proposing:
> {noformat}
> diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro
> index 859a69f..21a9b60 100644
> --- a/scripts/base/init-bare.bro
> +++ b/scripts/base/init-bare.bro
> @@ -66,10 +66,10 @@ type endpoint: record {
>  
>         ## Number of packets on the wire
>         ## Set if :bro:id:`use_conn_size_analyzer` is true.
> -       num_pkts: count &optional;      
> -       ## Number of IP-level bytes on the wire
> +       counted_pkts: count &optional;
> +       ## Number of content bytes on the wire
>         ## Set if :bro:id:`use_conn_size_analyzer` is true.
> -       num_bytes_ip: count &optional;  
> +       counted_bytes: count &optional;
>  };
>  
>  type endpoint_stats: record {
> diff --git a/src/ConnSizeAnalyzer.cc b/src/ConnSizeAnalyzer.cc
> index a1b892f..5d0efcd 100644
> --- a/src/ConnSizeAnalyzer.cc
> +++ b/src/ConnSizeAnalyzer.cc
> @@ -39,12 +39,12 @@ void ConnSize_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig,
>  
>         if ( is_orig )
>                 {
> -               orig_bytes += ip->TotalLen();
> +               orig_bytes += len;
>                 orig_pkts ++;
>                 }
>         else
>                 {
> -               resp_bytes += ip->TotalLen();
> +               resp_bytes += len;
>                 resp_pkts ++;
>                 }
>         }
> {noformat}
> If no one has a problem with this, I'd like to make the change for the 2.0 release because I'm having trouble currently with counting bytes for the SSH analyzer and we're getting more false positives than we should be seeing.



--
This message was sent by Atlassian JIRA
(v6.2-OD-09-036#6252)

More information about the bro-dev mailing list