i'm currently tying to develop a script for a project scenario and i would like to
know if there are some more efficient approaches and/or solutions for the current
The main task is defined as logging all connections and connection-attempts occuring after
a certain daytime.
At the moment i'm using the functions provided by the script located in
base/protocols/conn/main.bro and the following events:
- content_gap //not sure about this one
Now i got stuck with a few questions:
1. Are those events enough to track every connection being established after a certain
daytime? Or do i need additional events?
2. Why does the ../conn/main.bro script fill the c$conn-attributes from Conn::Info
(function set_conn()), if bro provides them automatically after an event is removed from
3. If i do include other scripts (e.g. base/protocols/dns) why are the records still
missing in a connection-object provided by the connection_state_remove()-event?
I think it makes sense if there is a dns-event and the ssl-record is missing, but even if
its a dns-event, there is still no dns-record with additional data about the connection.
Am i missing something? Do i have to them by myself by using Bro-Functions?
4. Is it possible to determine how much data was transfered by a specific connection while
it is still kept in memory? As an example: Connection was seen at a certain time and
finished 10 seconds later. Is it possible to determine the send bytes or protocol 5
seconds after initiation?
Show replies by date