[Bro] processing many files with bro

Veronica Estrada estrada.veronica at gmail.com
Wed Mar 10 09:15:29 PST 2010 

Thanks everyone for the answers,

My original question was connected with a second problem. I am trying
to  associate
a summary of wrong fragments to the corresponding line in the connection
summary.

To avoid the same connection becoming split and analyzed in different bro
runs, I will go for second option as you suggested me. After that, I will
have the majority of connections summarize in the same conn.bro file. But
after solving this, I am still confused about how to associate the wrong
fragment count with its corresponding connection logged in conn.bro

To my understand, wrong fragments are generated in the flow_weird event and
they don´t have associated a c$id, only src and dst address.

My questions:
1. How can I check the connection that generated that wrong fragment event?
2. Should I assign the fragment  to the last connection registered in the
conn.bro who has connection initiation time before the fragment I want to
count?  I don´t think this is enough. For instance, if two different
connections between A-B are active I cannot distinguish them.

Besides, I read about active and pasive timeouts on connections (Flow-based
TCP Connection Analysis by Limmer and Dressler).
I don´t understand how this topic is treated in BRO. Since I can only find
only one type of timeout (tcp_inactivity_timeout). Is this timeout the
active timeout? I think probably there are others timeout such as handshake
timeouts that I am missing.

Maybe I am getting into the details of bro design, I want to understand what
I am doing, and what I shouldn´t do to get the wrong fragment count inside
the conn.bro file.

Sorry, maybe I should open another thread with this e-mail. I was not sure
how to deal with it.

Veronica Estrada
Nakao Laboratory
The University of Tokyo


On Thu, Mar 11, 2010 at 1:30 AM, Robin Sommer <robin at icir.org> wrote:

>
> On Wed, Mar 10, 2010 at 23:46 +0900, Veronica Estrada wrote:
>
> > The other solution. I know that split pcap files can be merged in one
> bigger
> > file, but I will have problems with memory, and bro may crash if it has a
> > limitation for processing big size pcap file.
>
> That's probably the best solution and you can do it on the fly: have
> your merge tool (e.g., tcpslice) write to stdout and Bro read from
> stdin with "-r -". The effect on memory will indeed be that of one
> large pcap file but if that causes trouble, you should to tweak the
> Bro configuration.
>
> Using &persistent is unlikely to do what you want as it stores only
> script-level state, not internal state for connections that cross
> file boundaries.
>
> Robin
>
> --
> Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org
> ICSI/LBNL    * Fax   +1 (510) 666-2956 *   www.icir.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20100311/caedd029/attachment.html

More information about the Bro mailing list