[Zeek] Long running connection using threshold
Petr Medonos
petr.medonos at etnetera.cz
Tue Mar 31 12:23:39 PDT 2020
Hi,
I tried to write simple script to detect long running connection using
zeek (3.0) threshold. I set duration in connection established event and
then using duration_threshold_crossed logged connection above the limit.
But Notice log is then flooded with every new established connection.
Simple PoC bellow. Did I missed something? Is there any better way to
detect long running connection? I tried Corelight bro-long-connections
but there is lot overhead in my environment. Thanks for pointing me the
right way!
--
Petr
PoC:
@load base/protocols/conn
module LongConnection;
export {
redef enum Log::ID += { LOG };
redef enum Notice::Type += {
LongConnection::found
};
const duration: interval = 12hr &redef;
}
event connection_established(c: connection)
{
ConnThreshold::set_duration_threshold(c, duration);
}
event ConnThreshold::duration_threshold_crossed(c: connection,
threshold: interval, is_orig: bool)
{
local message = fmt("%s:%s -> %s:%s remained alive for longer
than %s", c$id$orig_h, c$id$orig_p, c$id$resp_h, c$id$resp_p, threshold);
NOTICE([$note=LongConnection::found,
$msg=message,
$sub=fmt("%.2f", threshold),
$conn=c]);
}
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200331/600edf89/attachment.bin
More information about the Zeek
mailing list