[Bro] Bro logging connections after specific daytime
Johanna Amann
johanna at icir.org
Tue May 30 10:02:55 PDT 2017
> Hello,
>
> i'm currently trying to develop a script for a project scenario and i
> would like to know if there are some more efficient approaches and/or
> solutions for the current problem.
>
> The main task is defined as logging all connections and
> connections-attempts occuring after a certain daytime.
>
> At the moment i'm using the functions provided by the script located
> in base/protocols/conn/main.bro and the following events:
>
> * event bro_init() //used for initializing streams and so on
>
> * event bro_done() //used for clearing
> * event new_connection()
>
> * event connection_state_remove()
>
> * event content_gap() //not sure about this one
If the purpose really is to only log connection information after a
certain time (where the timestamp that currently is being logged in
conn.log is between specific times of the day), you can do this even
easier. The way I would probably go is to use a log predicate to filter
on the timestamp;
https://www.bro.org/sphinx/frameworks/logging.html#filter-log-records
gives an example to do this.
> Now i got stuck with a few questions:
>
> 1. Are those events enough to track every connection being
> established after a certain daytime? Or do i need additional events
> like: "event udp_reply()/udp_request()" and "connection_established()"
> ?
These should be enough. Actually, just connection_state_remove should be
enough already for the connection information - the timestamp contained
in the connection record is the timestamp of the first packet.
> 2. Why does the ../conn/main.bro script fills the c$conn-attributes
> from Conn::Info (function set_conn()), if bro provides them
> automatically after an event is removed from memory?
I am not quite sure what you mean here (specifically the "if bro
provides them automatically after an event is removed from memory" part.
In any case - the Conn::Info record is the record that is used for
logging. set_conn() copies information into that record so that it can
be logged; the information originally is directly in the connection
record, which is not suitable for logging.
> 3. Even if i do include other scripts (e.g. base/protocols/dns/),
> why are the records still missing in a connection-object provided by
> the connection_state_remove()-event? I think it makes sense if there
> is a dns-event and the ssl-record is missing, but even if its a
> dns-event, there is still no dns-record with additional data about the
> connection. Am i missing something? Do i have to fill them myself by
> using Bro-Functions?
You lost me a bit on the question here. The records (like c$dns) are
filled as events are raised by the protocol parser that contain the
necessary information for the log field.
> 4. Is it possible to determine how much data was transfered by a
> specific connection while that connection is still in the memory? As
> an example: Connection was seen at a certain time, and finished 10
> seconds later. Is it possible to determine the send bytes 5 seconds
> after initiation?\
No, that information is not held as far as I am aware.
Johanna
More information about the Bro
mailing list