[Zeek] Long running connection using threshold

Petr Medonos petr.medonos at etnetera.cz
Wed Apr 8 09:20:58 PDT 2020 

Hi Jon,
thanks for the fix. Works like a charm!

--
Petr


On 06. 04. 20 22:43, Jon Siwek wrote:
> Hi Petr,
> 
> Your example code looked correct to me, but I found what simply looked
> like a bug in the connection thresholding code that did the duration
> comparison in reverse of what it should.  Here's my proposed patch:
> https://github.com/zeek/zeek/pull/899
> 
> - Jon
> 
> On Tue, Mar 31, 2020 at 12:25 PM Petr Medonos <petr.medonos at etnetera.cz> wrote:
>>
>> Hi,
>> I tried to write simple script to detect long running connection using
>> zeek (3.0) threshold. I set duration in connection established event and
>> then using duration_threshold_crossed logged connection above the limit.
>> But Notice log is then flooded with every new established connection.
>> Simple PoC bellow. Did I missed something? Is there any better way to
>> detect long running connection? I tried Corelight bro-long-connections
>> but there is lot overhead in my environment. Thanks for pointing me the
>> right way!
>>
>>
>> --
>> Petr
>>
>>
>> PoC:
>>
>> @load base/protocols/conn
>>
>> module LongConnection;
>>
>> export {
>>         redef enum Log::ID += { LOG };
>>
>>         redef enum Notice::Type += {
>>                 LongConnection::found
>>         };
>>
>>         const duration: interval = 12hr &redef;
>> }
>>
>> event connection_established(c: connection)
>>         {
>>         ConnThreshold::set_duration_threshold(c, duration);
>>         }
>>
>> event ConnThreshold::duration_threshold_crossed(c: connection,
>> threshold: interval, is_orig: bool)
>>   {
>>         local message = fmt("%s:%s -> %s:%s remained alive for longer
>> than %s", c$id$orig_h, c$id$orig_p, c$id$resp_h, c$id$resp_p, threshold);
>>
>>         NOTICE([$note=LongConnection::found,
>>                         $msg=message,
>>                         $sub=fmt("%.2f", threshold),
>>                         $conn=c]);
>>
>>   }
>>
>>
>> _______________________________________________
>> Zeek mailing list
>> zeek at zeek.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200408/9dbd296f/attachment.bin

More information about the Zeek mailing list