[Zeek] Long running connection using threshold
Jon Siwek
jsiwek at corelight.com
Mon Apr 6 13:43:57 PDT 2020
Hi Petr,
Your example code looked correct to me, but I found what simply looked
like a bug in the connection thresholding code that did the duration
comparison in reverse of what it should. Here's my proposed patch:
https://github.com/zeek/zeek/pull/899
- Jon
On Tue, Mar 31, 2020 at 12:25 PM Petr Medonos <petr.medonos at etnetera.cz> wrote:
>
> Hi,
> I tried to write simple script to detect long running connection using
> zeek (3.0) threshold. I set duration in connection established event and
> then using duration_threshold_crossed logged connection above the limit.
> But Notice log is then flooded with every new established connection.
> Simple PoC bellow. Did I missed something? Is there any better way to
> detect long running connection? I tried Corelight bro-long-connections
> but there is lot overhead in my environment. Thanks for pointing me the
> right way!
>
>
> --
> Petr
>
>
> PoC:
>
> @load base/protocols/conn
>
> module LongConnection;
>
> export {
> redef enum Log::ID += { LOG };
>
> redef enum Notice::Type += {
> LongConnection::found
> };
>
> const duration: interval = 12hr &redef;
> }
>
> event connection_established(c: connection)
> {
> ConnThreshold::set_duration_threshold(c, duration);
> }
>
> event ConnThreshold::duration_threshold_crossed(c: connection,
> threshold: interval, is_orig: bool)
> {
> local message = fmt("%s:%s -> %s:%s remained alive for longer
> than %s", c$id$orig_h, c$id$orig_p, c$id$resp_h, c$id$resp_p, threshold);
>
> NOTICE([$note=LongConnection::found,
> $msg=message,
> $sub=fmt("%.2f", threshold),
> $conn=c]);
>
> }
>
>
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
More information about the Zeek
mailing list