[Bro] Fwd: Simultaneous Connections

Johanna Amann johanna at icir.org
Tue Oct 25 12:00:37 PDT 2016 

Hi Troy,

the c$conn record is only populated way after the connection_established
event (usually in connection_state_remove). If that is too late, the
easiest way is probably to also extend the connection record, first track
that in there, and then copy it over to c$conn in connection_state_remove.

I hope this helps,
 Johanna

On Thu, Oct 20, 2016 at 11:23:41PM -0400, Troy Ward wrote:
> I am trying to identify connections with the same source host and
> destination host/port occuring at the same time.  My plan is to examine
> each connection_established event.  I've created a table the pairs up those
> 3 items and when the event fires it looks to see if the pair exists.  If it
> does, I want to tag a bol value that I have added to the conn record to
> mark it as a duplicate.  When the connection closes, it takes information
> about both connections and records them into a new log file.  I have
> attached my code below.  My problem is that I get a "field value missing
> [simultanious::c$conn] on line 75 (c$conn$duplicate = T).  If I move the
> command to the connection_closed event it works fine but that is to late.
> 
> Ideas?
> 
> Thanks,
> 
> Troy
> 
> 
> local.bro
> 
> 
> 
> 
> # Add a field to the connection log record.
> redef record Conn::Info += {
>     ## Indicate if the originator of the connection is part of the
>     ## "private" address space defined in RFC1918.
>     duplicate: bool &default=F ;
> };
> 
> type tmp : record
> {
> # Timestamp of the event
> ts : time &log;
> #source Port
> orig_p : count &log;
> #UID
> uid : string &log;
> };
> # Add a field to the connection log record.
> redef record Conn::Info += {
>     ## Indicate if the originator of the connection is part of the
>     ## "private" address space defined in RFC1918.
>     tmp_duplicate: tmp &optional;
> };
> 
> @load simultanious
> 
> 
> 
> simultanious.bro
> 
> module simultanious;
> export
> {
> redef enum Log::ID += { LOG };
> #Data structure for final record to record
> type Info : record
> {
> # Timestamp of the event
> ts : time &log;
> # Source IP Host address
> orig_h : addr &log;
> # Destination IP Host address
> resp_h : addr &log;
> #Destination Port
> resp_p : count &log;
> #Protocol
> proto : transport_proto &log;
> #First Connection Timestamp
> first_ts : time &log;
> #First UID
> first_uid : string &log;
> #First originating port
> first_orig_p : count &log &optional;
> #Second Connection Timestamp
> second_ts : time &log;
> #Second UID
> second_uid : string &log;
> #Second Pack orig_p : string &log;
> second_orig_p : count &log &optional;
> };
> type tmp : record
> {
> # Timestamp of the event
> ts : time &log;
> #source Port
> orig_p : count &log;
> #UID
> uid : string &log;
> };
> #Table of hosts that are currently being tracked
> #Order is source IP address with a sub table of destination IP and port
> global current_connections : table [addr, addr, port] of tmp;
> 
> #And event that can be handled to access the :bro:type:
> SimultaniousConnections::Info
> ##record as it is sent on to the logging framework
> global log_duplicate_connections : event(rec: Info);
> #List of subnets to monitor
> global monitor_subnets : set[subnet] = { 192.168.1.0/24, 192.68.2.0/24,
> 172.16.0.0/20, 172.16.16.0/20, 172.16.32.0/20, 172.16.48.0/20 };
> #List of ports to monitor
> global monitor_ports : set [port] = { 443/tcp, 80/tcp, 8080/tcp, 22/tcp};
> 
> 
> 
> }
> event bro_init()
> {
> # Create the logging stream
> Log::create_stream(LOG, [$columns=Info, $path="simultanious_conn"]);
> }
> event connection_established(c: connection)
> {
> #Check to see if there is already an entry for the connection string in the
> table
> if ([c$id$orig_h, c$id$resp_h, c$id$resp_p] in current_connections)
> {
> #There is a duplicate record
> #duplicate_host = T;
> c$conn$duplicate = T;
> c$conn$tmp_duplicate$ts = current_connections[c$id$orig_h, c$id$resp_h,
> c$id$resp_p]$ts;
> c$conn$tmp_duplicate$orig_p = current_connections[c$id$orig_h, c$id$resp_h,
> c$id$resp_p]$orig_p;
> c$conn$tmp_duplicate$uid = current_connections[c$id$orig_h, c$id$resp_h,
> c$id$resp_p]$uid;
> print fmt("dup  -  %s     %s      %s      %s", c$uid, c$id$orig_h,
> c$id$resp_h, c$id$resp_p);
> }
> else
> {
> local temp_record : tmp = [$ts=c$start_time,
> $orig_p=port_to_count(c$id$orig_p),
> $uid=c$uid];
> current_connections[c$id$orig_h, c$id$resp_h, c$id$resp_p]=temp_record;
> print fmt("no dup  -  %s     %s      %s      %s", c$uid, c$id$orig_h,
> c$id$resp_h, c$id$resp_p);
> }
> }
> event connection_state_remove(c: connection)
> {
>     if (c$conn$duplicate && c$duration > 1min)
> {
> 
> 
> print fmt("end of record dup  %s     %s      %s      %s      %s", c$uid,
> c$id$orig_h, c$id$resp_h, c$id$resp_p, c$conn$tmp_duplicate);
> #Log::write (simultanious::LOG, temp_working_record);
> }
> else
>    {
>    print fmt("end of packet no dup  -  %s     %s      %s      %s", c$uid,
> c$id$orig_h, c$id$resp_h, c$id$resp_p);
>    }
> }

> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list