[Bro] Is this type of script is possible to create ?
Johanna Amann
johanna at icir.org
Mon Nov 28 15:02:54 PST 2016
Hi,
this is actually a bit difficult - there is a function that you can call
regularly to get you information about the number of packets/bytes that
Bro received (get_net_stats); if you call this every second or so, you can
determine traffic rates. However, it does not split things out by
incoming/outgoing connections.
Apart from that the only other idea I have is to use the packet-level
events and count things manually - however, this will have quite a
performance impact.
I might be missing an obvious solution I am not thinking about here
though.
Johanna
On Fri, Nov 18, 2016 at 10:35:09PM -0700, Manmeet Gill wrote:
> is it possible that below described statement can be crafted into a bro
> script ?
> Plz help me if it is possible, let me know what i need to do, to make this
> possible.
>
> If my incoming traffic rate exceeds 44Mbps and the average incoming traffic
> rate over the last 504seconds exceeds the average incoming traffic rate
> over the last 965seconds by more than 70%, send an alert
>
> Thank you Everyone.
> MeetGill
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list