Hello, i'm currently tying to develop a script for a project scenario and i would like to know if there are some more efficient approaches and/or solutions for the current problem. The main task is defined as logging all connections and connection-attempts occuring after a certain daytime. At the moment i'm using the functions provided by the script located in base/protocols/conn/main.bro and the following events: - bro_init - bro_done - new_connection - connection_state_remove - content_gap //not sure about this one Now i got stuck with a few questions: 1. Are those events enough to track every connection being established after a certain daytime? Or do i need additional events? 2. Why does the ../conn/main.bro script fill the c$conn-attributes from Conn::Info (function set_conn()), if bro provides them automatically after an event is removed from memory? 3. If i do include other scripts (e.g. base/protocols/dns) why are the records still missing in a connection-object provided by the connection_state_remove()-event? I think it makes sense if there is a dns-event and the ssl-record is missing, but even if its a dns-event, there is still no dns-record with additional data about the connection. Am i missing something? Do i have to them by myself by using Bro-Functions? 4. Is it possible to determine how much data was transfered by a specific connection while it is still kept in memory? As an example: Connection was seen at a certain time and finished 10 seconds later. Is it possible to determine the send bytes or protocol 5 seconds after initiation? -- Dominique
_______________________________________________ bro-dev mailing list [email protected] http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
