[Bro] problems with &*_expire attributes

Christoph Goeldi goeldich at ee.ethz.ch
Fri Dec 24 04:25:10 PST 2004 

hi

i'm fighting with some problems:
i encountered problems with the &*_expire attributes of table entries.
it seems that they have no influence, nothing happens at all.

i wrote the policy script below (don't ask for the purpose of this 
script, i just wrote it to learn bro) and i thought it should alarm more 
than once, if a host contacts unreachable hosts after a while. well, it 
does it only once and the function test is never called:
 > 1103883009.796358 TRWAddressScan x.x.x.x scanned a total of 4 hosts
 > 1103883009.796358 x.x.x.x connected 10 unreachable hosts
 > 1103883010.358487 AddressScan x.x.x.x has scanned 100 hosts (ftp-data)
 > 1103883010.358487 x.x.x.x connected 100 unreachable hosts
 > 1103883013.343568 x.x.x.x connected 1000 unreachable hosts
 > 1103883013.343568 AddressScan x.x.x.x has scanned 1000 hosts (ftp-data)
 > 1103883036.284724 TRWScanSummary x.x.x.x scanned a total of 4 hosts

btw: count_failed_attempts is called by the event connection_attempt in
conn.bro.
 > @load notice
 > @load conn
 > @load hot
 >
 > redef table_expire_interval = 1 min;
 > redef table_expire_size = 200;
 > redef table_expire_delay = 0.01 secs;
 >
 > global test: function(t: table[addr] of count, idx: any): interval;
 >
 > global failed_connection_counter: table[addr] of count &read_expire=30sec
 > &write_expire=30sec &create_expire=30sec &expire_func=test;
 >
 >
 > function count_failed_attempts(c: connection)
 >          {
 >          local host = c$id$orig_h;
 >          if(host !in failed_connection_counter)
 >                  failed_connection_counter[host]=1;
 >          else
 >                  ++failed_connection_counter[host];
 >
 >          local n = failed_connection_counter[host];
 >
 >          if(n == 10)
 >                 alarm fmt("%s connected 10 unreachable hosts", host);
 >          if(n == 100)
 >                 alarm fmt("%s connected 100 unreachable hosts", host);
 >          if(n == 1000)
 >                 alarm fmt("%s connected 1000 unreachable hosts", host);
 >          }
 >
 > function test(t: table[addr] of count, idx: any): interval
 > {
 >          alarm "test";
 >          return 0 secs;
 > }


thanx
christoph

More information about the Bro mailing list