[Bro] Bro connections v. NetFlow
James Lay
jlay at slave-tothe-box.net
Tue Sep 6 08:23:07 PDT 2016
On 2016-09-06 08:31, Seth Hall wrote:
>> On Sep 2, 2016, at 6:57 PM, James Lay <jlay at slave-tothe-box.net>
>> wrote:
>>
>> const default_durations = Durations(10min, 30min, 1hr, 12hr, 24hrs,
>> 3days) &redef;
>>
>> I'd like to see an example of redefing this to a different time.
>
> redef LongConnection::default_durations =
> LongConnection::Durations(30sec, 1min, 1hr, 10hrs, 1day);
>
>> Also, a whitelist of IP's not to be included would be next. I have a
>> lot of
>> use cases...truth be told I'm "kind of" doing something similar with
>> grep/sed/awk and the current conn_log for tracking "unusual" long
>> sessions.
>
> Except that you unfortunately aren't seeing connections "live" before
> the connection has completed.
>
>> For example, a netblock, say 172.16.1.0/24 is dedicated to
>> VPN connections, which I expect to be longer as they are a constant
>> session, so i'd want to ignore those in my conn_long file.
>
> Ah, interesting point. It sort of sounds like you're starting to use
> the log for detection with this change though. Are you sure you want
> to do that? Would it make more sense if we added some other behavior
> that actually detected something that you're interested in?
> Alternately you could use a logging filter that filters out
> connections involving the hosts on your VPN. Here's one you can start
> with....
>
> const ignore_for_long_connections: set[subnet] &redef;
> event bro_init()
> {
> local filt = Log::get_filter(LongConnection::LOG, "default");
> filt$pred = function(rec: Conn::Info): bool
> {
> return rec$id$orig_h !in ignore_for_long_connections &&
> rec$id$resp_h !in ignore_for_long_connections;
> };
> Log::add_filter(LongConnection::LOG, filt);
> }
>
>
> .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
Ah there you go...yea a logging filter would be best...I'll give that a
whirl in my test environment. And in this case I'm really interested in
sessions that are over a certain time, possibly over longer than a day,
and at a very small throughput (can you say data exfiltration?). So I
have a subset of internal IP's that are known to have long
sessions..anything else I wanna see. Thanks again Seth!
James
More information about the Bro
mailing list