[Zeek] Long running connection using threshold

Tue Mar 31 12:23:39 PDT 2020

Hi,
I tried to write simple script to detect long running connection using
zeek (3.0) threshold. I set duration in connection established event and
then using duration_threshold_crossed logged connection above the limit.
But Notice log is then flooded with every new established connection.
Simple PoC bellow. Did I missed something? Is there any better way to
detect long running connection? I tried Corelight bro-long-connections
but there is lot overhead in my environment. Thanks for pointing me the
right way!

--
Petr

PoC:

@load base/protocols/conn

module LongConnection;

export {
        redef enum Log::ID += { LOG };

        redef enum Notice::Type += {
                LongConnection::found
        };

        const duration: interval = 12hr &redef;
}

event connection_established(c: connection)
        {
        ConnThreshold::set_duration_threshold(c, duration);
        }

event ConnThreshold::duration_threshold_crossed(c: connection,
threshold: interval, is_orig: bool)
  {
        local message = fmt("%s:%s -> %s:%s remained alive for longer
than %s", c$id$orig_h, c$id$orig_p, c$id$resp_h, c$id$resp_p, threshold);

        NOTICE([$note=LongConnection::found,
                        $msg=message,
                        $sub=fmt("%.2f", threshold),
                        $conn=c]);

  }

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200331/600edf89/attachment.bin 