[Bro-Dev] timer delays between different events for same connection
So I am seeing some weird stuff in my sample pcap of scanners. May be too obvious and I am just not seeing why/how of it. Here is the issue : ( I have time in human format for easier read): SO I just pick one session from conn.log and this is the connection in question: (there are many more like this): $ fgrep CspAa42NoEGEaXK4ci conn.log | cf Apr 12 05:37:42 CspAa42NoEGEaXK4ci 191.254.157.138 45107 128.3.97.204 23 tcp - - - - S0 F T 0 S 1 40 0 0 - Now as part of debugging I have dumped network_time for various events which process this connection: Apr 12 05:37:42 new_connection CspAa42NoEGEaXK4ci Apr 12 06:13:48 connection_attempt CspAa42NoEGEaXK4ci Apr 12 06:13:48 connection_state_remove CspAa42NoEGEaXK4ci Now my understanding is there are various timers involved upon whose expirations bro infers events such as connection_attempt, connection_reset etc etc. Timers such as tcp_attempt_delay, tcp_SYN_timeout, tcp_close_delay amongst others. But all these timers are generally 5 seconds. Q. Why would connection_attempt event kick in after 36 minutes and 6 seconds ? ( 06:13:48 - 05:37:42 ) ? I have a pcap to share if anyone is interested and replicate on their end. Aashish ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
Re: [Bro-Dev] Overload Bro Events
On Thu, Apr 12, 2018 at 14:44 -0500, you wrote: > > event overload%(c: connection%); > > event overload%(c: connection, h: header%); > > event overload%(c: connection, h: header, d: data%); > > Overloading is not supported for functions in general (function/event/hook). This has interesting implication for BIT-1431: if overloading worked work, that could take the place of the attribute suggested there. Robin -- Robin Sommer * ICSI/LBNL * ro...@icir.org * www.icir.org/robin ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
Re: [Bro-Dev] Overload Bro Events
On 4/12/18 2:23 PM, DW wrote: > Hello, > > it is possible to overload events in Bro based on the event-parameter > and trigger the "right" event based on the given parameter? > > E.g. I would define events like this > > event overload%(c: connection%); > event overload%(c: connection, h: header%); > event overload%(c: connection, h: header, d: data%); Overloading is not supported for functions in general (function/event/hook). - Jon ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] Overload Bro Events
Hello, it is possible to overload events in Bro based on the event-parameter and trigger the "right" event based on the given parameter? E.g. I would define events like this event overload%(c: connection%); event overload%(c: connection, h: header%); event overload%(c: connection, h: header, d: data%); ... In the protocol parser source: ... EventHandlerPtr ev = overload; val_list* vl = new val_list(); switch(type) { case 1: vl->append(BuildConnVal()); case 2: vl->append(BuildConnVal()); vl->append(header); case 3: vl->append(BuildConnVal()); vl->append(header); vl->append(data); } ConnectionEvent(ev, vl); Dane ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev