Package: base/protocols/conn

Support for connection (TCP, UDP, or ICMP) analysis.

base/protocols/conn/__load__.bro

base/protocols/conn/main.bro

This script manages the tracking/logging of general information regarding TCP, UDP, and ICMP traffic. For UDP and ICMP, “connections” are to be interpreted using flow semantics (sequence of packets from a source host/port to a destination host/port). Further, ICMP “ports” are to be interpreted as the source port meaning the ICMP message type and the destination port being the ICMP message code.

base/protocols/conn/contents.bro

This script can be used to extract either the originator’s data or the responders data or both. By default nothing is extracted, and in order to actually extract data the c$extract_orig and/or the c$extract_resp variable must be set to T. One way to achieve this would be to handle the connection_established event elsewhere and set the extract_orig and extract_resp options there. However, there may be trouble with the timing due to event queue delay.

Note

This script does not work well in a cluster context unless it has a remotely mounted disk to write the content files to.

base/protocols/conn/inactivity.bro

Adjust the inactivity timeouts for interactive services which could very possibly have long delays between packets.

base/protocols/conn/polling.bro

Implements a generic way to poll connections looking for certain features (e.g. monitor bytes transferred). The specific feature of a connection to look for, the polling interval, and the code to execute if the feature is found are all controlled by user-defined callback functions.

base/protocols/conn/thresholds.bro

Implements a generic API to throw events when a connection crosses a fixed threshold of bytes or packets.

Table of Contents

    Copyright 2016, The Bro Project. Last updated on December 19, 2018. Created using Sphinx 1.8.2.