is an event (say, a TCP session finishing the normal way) logged? How can
I control this?
Logging occurs whenever your policy script executes a "log" statement,
and it goes out immediately via syslog(). If you're printing using
"print" to a file, then it's block buffered. Adding a flush mechanism
is on the to-do list.
Bro generally strives to generate events as soon as it can, so the policy
script immediately gets a crack at them (and can promptly log if need be).
connection_established is generated when the SYN ack is seen (Bro doesn't
wait for the final ack completing the three-way handshake, because often it
won't ever see it because of use of a SYN/FIN/RST filter). Likewise,
connection_rejected is generated as soon as the RST is seen. However,
connection_attempt is only generated five minutes after the first SYN
is seen, to give the connection time to first become established.
Bro could generate this sooner, or make it tunable, or generate a
connection_first_packet event on the first packet (if the policy
script includes a handler). I'd be interested in hearing from folks
who find they'd like that - it's an easy addition.