[Bro] TCP Conn Log
Azoff, Justin S
jazoff at illinois.edu
Wed Apr 5 09:40:52 PDT 2017
Oh! there is this script that may help:
https://github.com/corelight/bro-long-connections
--
- Justin Azoff
> On Apr 5, 2017, at 12:28 PM, Johanna Amann <johanna at icir.org> wrote:
>
> Hi Mike,
>
> I am currently not aware of any way to accomplish this without
> modifications to the core. You can change the timeout that Bro uses for
> TCP connections (the time after which its expires a connection, if it does
> not see any packets) by changing tcp_inactivity_timeout; depending on your
> specific application, maybe that might be good enough.
>
> Johanna
>
> On Mon, Apr 03, 2017 at 02:49:21PM +0200, mike anastasakis wrote:
>> Hello,
>>
>> I am using Bro for a project and I have a question regarding it's
>> capabilities.
>> Currently when I have a long TCP connection that includes frequent TCP Keep
>> Alive messages, bro is reassembling the whole network trace into one
>> connection and presents it in conn.log with a big duration value. Is it
>> possible to make bro split up TCP connections into smaller fragments based
>> on a interval I set up or at least whenever a TCP Keep alive handshake
>> takes place?
>>
>>
>> Regards,
>> Mike
>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list