[Bro] TCP idle timer expiry

scott campbell scampbell at lbl.gov
Fri Dec 1 11:11:51 PST 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jaya Dhanesh wrote:
> 
> Hi,
> 
> If the tcp connection is idle for some time, the connection_state_remove
> event handler is getting called.
> So the subsequent packets in the same connection doesn't get logged.
> 
> How can I increase the tcp idle time out? The increase in the timer is also
> not the best solution.

You can reconfigure several timer values such as:

redef tcp_SYN_timeout = X secs;
redef tcp_attempt_delay = X secs;

redef tcp_inactivity_timeout = X mins;
redef udp_inactivity_timeout = X secs;
redef icmp_inactivity_timeout = X secs;


which might help out some.  See heavy-analysis.bro for a better list.


> Is there a way where the packets gets logged even after BRO removes the
> connection from the table?
> 

You will get a *new* connection for post-timed out data if the pcap
expression allows for ACK flagged packets to be seen (such as 80/tcp
with the http analyzer loaded).  If not, then the FIN/RST ought to be
picked up as an additional connection.

If your configuration is not seeing much in the way of traffic, then it
is possible to turn the timeout values quite high.  They have been tuned
to their current values to prevent state explosion for busy sites.

scott

> Thanks,
> Dhanesh.
> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org

iD8DBQFFcH53K2Plq8B7ZBwRAmXtAKDEcAZrfAY4p2fgT0eduRvLpe8AJwCeObvK
NeLc4o3Dr0gRf3iMRj/Xinw=
=Wtts
-----END PGP SIGNATURE-----



More information about the Bro mailing list