[Bro] connection_status_update for inactive flows
Siwek, Jonathan Luke
jsiwek at illinois.edu
Mon Feb 4 12:32:16 PST 2013
> You could implement your script like this…
>
> module MyModule;
>
> export {
> ## The period of delay for all established connections
> ## before rechecking them for whatever I'm checking them for.
> const checkup_interval = 5sec;
> }
>
> event MyModule::regular_check(c: connection)
> {
> # Do your check you would have previously done in connection_status_update
> print c$uid;
>
> # Reschedule this event.
> schedule checkup_interval { MyModule::regular_check(c) };
> }
>
> event connection_established(c: connection)
> {
> # Schedule the event that does the check.
> schedule checkup_interval { MyModule::regular_check(c) };
> }
There's also a general form of connection polling provided by ConnPolling::watch() in scripts/base/protocols/conn/polling.bro, which allows the "checkup" interval to vary between connections and/or over time.
scripts/base/protocols/ftp/gridftp.bro has an example usage.
Jon
More information about the Bro
mailing list