[Bro] Bro logging connections after specific daytime

Johanna Amann johanna at icir.org
Tue May 30 10:02:55 PDT 2017 

> Hello,
>
> i'm currently trying to develop a script for a project scenario and i 
> would like to know if there are some more efficient approaches and/or 
> solutions for the current problem.
>
> The main task is defined as logging all connections and 
> connections-attempts occuring after a certain daytime.
>
> At the moment i'm using the functions provided by the script located 
> in base/protocols/conn/main.bro and the following events:
>
>   * event bro_init()   //used for initializing streams and so on
>
>   * event bro_done()   //used for clearing
>   * event new_connection()
>
>   * event connection_state_remove()
>
>   * event content_gap() //not sure about this one

If the purpose really is to only log connection information after a 
certain time (where the timestamp that currently is being logged in 
conn.log is between specific times of the day), you can do this even 
easier. The way I would probably go is to use a log predicate to filter 
on the timestamp; 
https://www.bro.org/sphinx/frameworks/logging.html#filter-log-records 
gives an example to do this.

> Now i got stuck with a few questions:
>
>   1. Are those events enough to track every connection being 
> established after a certain daytime? Or do i need additional events 
> like: "event udp_reply()/udp_request()" and "connection_established()" 
> ?

These should be enough. Actually, just connection_state_remove should be 
enough already for the connection information - the timestamp contained 
in the connection record is the timestamp of the first packet.

>   2. Why does the ../conn/main.bro script fills the c$conn-attributes 
> from Conn::Info (function set_conn()), if bro provides them 
> automatically after an event is removed from memory?

I am not quite sure what you mean here (specifically the "if bro 
provides them automatically after an event is removed from memory" part. 
In any case - the Conn::Info record is the record that is used for 
logging. set_conn() copies information into that record so that it can 
be logged; the information originally is directly in the connection 
record, which is not suitable for logging.

>   3. Even if i do include other scripts (e.g. base/protocols/dns/), 
> why are the records still missing in a connection-object provided by 
> the connection_state_remove()-event? I think it makes sense if there 
> is a dns-event and the ssl-record is missing, but even if its a 
> dns-event, there is still no dns-record with additional data about the 
> connection. Am i missing something? Do i have to fill them myself by 
> using Bro-Functions?

You lost me a bit on the question here. The records (like c$dns) are 
filled as events are raised by the protocol parser that contain the 
necessary information for the log field.

>   4. Is it possible to determine how much data was transfered by a 
> specific connection while that connection is still in the memory? As 
> an example: Connection was seen at a certain time, and finished 10 
> seconds later. Is it possible to determine the send bytes 5 seconds 
> after initiation?\

No, that information is not held as far as I am aware.

Johanna

More information about the Bro mailing list