[Bro] Notice on duration
James Lay
jlay at slave-tothe-box.net
Mon Mar 21 11:12:34 PDT 2016
On 2016-03-21 10:06, Vlad Grigorescu wrote:
> Hi James,
>
> James Lay <jlay at slave-tothe-box.net> writes:
>
>> I've been tasked with seeing about getting an alert of some kind when
>> a
>> session (tcp/udp/icmp) lasts longer then a certain time. Is this
>> something well suited for bro...?
>
> It should be. Check out ConnPolling:
>
> https://www.bro.org/sphinx/scripts/base/protocols/conn/polling.bro.html
>
> This is a little-known feature that hasn't seen much use, but I'd be
> very interested if you get this working for your use-case. So far, it's
> been used to look for large (or fast) connections, such as:
>
> https://github.com/JustinAzoff/bro-react/blob/master/conn-bulk.bro
>
> --Vlad
Thanks Vlad...I'll give this a go.
James
More information about the Bro
mailing list