[Bro] Bro connections v. NetFlow

James Lay jlay at slave-tothe-box.net
Tue Sep 6 08:23:07 PDT 2016 

On 2016-09-06 08:31, Seth Hall wrote:
>> On Sep 2, 2016, at 6:57 PM, James Lay <jlay at slave-tothe-box.net> 
>> wrote:
>> 
>> const default_durations = Durations(10min, 30min, 1hr, 12hr, 24hrs,
>> 3days) &redef;
>> 
>> I'd like to see an example of redefing this to a different time.
> 
> redef LongConnection::default_durations =
> LongConnection::Durations(30sec, 1min, 1hr, 10hrs, 1day);
> 
>>  Also, a whitelist of IP's not to be included would be next.  I have a 
>> lot of
>> use cases...truth be told I'm "kind of" doing something similar with
>> grep/sed/awk and the current conn_log for tracking "unusual" long
>> sessions.
> 
> Except that you unfortunately aren't seeing connections "live" before
> the connection has completed.
> 
>>  For example, a netblock, say 172.16.1.0/24 is dedicated to
>> VPN connections, which I expect to be longer as they are a constant
>> session, so i'd want to ignore those in my conn_long file.
> 
> Ah, interesting point.  It sort of sounds like you're starting to use
> the log for detection with this change though.  Are you sure you want
> to do that?  Would it make more sense if we added some other behavior
> that actually detected something that you're interested in?
> Alternately you could use a logging filter that filters out
> connections involving the hosts on your VPN.  Here's one you can start
> with....
> 
> const ignore_for_long_connections: set[subnet] &redef;
> event bro_init()
> 	{
> 	local filt = Log::get_filter(LongConnection::LOG, "default");
> 	filt$pred = function(rec: Conn::Info): bool
> 		{
> 		return rec$id$orig_h !in ignore_for_long_connections &&
> 		       rec$id$resp_h !in ignore_for_long_connections;
> 		};
> 	Log::add_filter(LongConnection::LOG, filt);
> 	}
> 
> 
>  .Seth
> 
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/

Ah there you go...yea a logging filter would be best...I'll give that a 
whirl in my test environment.  And in this case I'm really interested in 
sessions that are over a certain time, possibly over longer than a day, 
and at a very small throughput (can you say data exfiltration?).  So I 
have a subset of internal IP's that are known to have long 
sessions..anything else I wanna see.  Thanks again Seth!

James

More information about the Bro mailing list