[Bro] Is this type of script is possible to create ?

Hosom, Stephen M hosom at battelle.org
Tue Nov 29 12:24:28 PST 2016 

Alternatively--and I have no idea what the performance impact of this would be... you could use connection polling: https://www.bro.org/sphinx/scripts/base/protocols/conn/polling.bro.html

-----Original Message-----
From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of Hosom, Stephen M
Sent: Tuesday, November 29, 2016 3:12 PM
To: Johanna Amann <johanna at icir.org>; Manmeet Gill <mgill6 at student.concordia.ab.ca>
Cc: bro at bro.org
Subject: Re: [Bro] Is this type of script is possible to create ?

You could do this with sumstats... you just have to do a bunch of math... and be happy with an average over a longer period of time. Since you only have to observe two counts, it actually wouldn't be that bad. Just observe the sum of the ip bytes based on which direction the traffic is in.... I could probably write an example script sometime tonight. 

-----Original Message-----
From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of Johanna Amann
Sent: Monday, November 28, 2016 6:03 PM
To: Manmeet Gill <mgill6 at student.concordia.ab.ca>
Cc: bro at bro.org
Subject: Re: [Bro] Is this type of script is possible to create ?

Hi,

this is actually a bit difficult - there is a function that you can call regularly to get you information about the number of packets/bytes that Bro received (get_net_stats); if you call this every second or so, you can determine traffic rates. However, it does not split things out by incoming/outgoing connections.

Apart from that the only other idea I have is to use the packet-level events and count things manually - however, this will have quite a performance impact.

I might be missing an obvious solution I am not thinking about here though.

Johanna

On Fri, Nov 18, 2016 at 10:35:09PM -0700, Manmeet Gill wrote:
> is it possible that below described statement can be crafted into a 
> bro script ?
> Plz help me if it is possible, let me know what i need to do, to make 
> this possible.
> 
> If my incoming traffic rate exceeds 44Mbps and the average incoming 
> traffic rate over the last 504seconds exceeds the average incoming 
> traffic rate over the last 965seconds by more than 70%, send an alert
> 
> Thank you Everyone.
> MeetGill

> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

_______________________________________________
Bro mailing list
bro at bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

_______________________________________________
Bro mailing list
bro at bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list