[Bro-Dev] timer delays between different events for same connection

2018-04-12 Thread Aashish Sharma 

So I am seeing some weird stuff in my sample pcap of scanners. May be too
obvious and I am just not seeing why/how of it. 

Here is the issue : ( I have time in human format for easier read): 

SO I just pick one session from conn.log  and this is the connection in
question: (there are many more like this): 


$ fgrep CspAa42NoEGEaXK4ci conn.log  | cf
Apr 12 05:37:42 CspAa42NoEGEaXK4ci  191.254.157.138 45107   128.3.97.204
23  tcp -   -   -   -   S0  F   T   0   
S   1   40  0   0   -

Now as part of debugging I have dumped network_time for various events which
process this connection: 

Apr 12 05:37:42 new_connection  CspAa42NoEGEaXK4ci
Apr 12 06:13:48 connection_attempt  CspAa42NoEGEaXK4ci
Apr 12 06:13:48 connection_state_remove  CspAa42NoEGEaXK4ci


Now my understanding is there are various timers involved upon whose expirations
bro infers events such as connection_attempt,  connection_reset etc etc. Timers
such as tcp_attempt_delay, tcp_SYN_timeout, tcp_close_delay amongst others. But
all these timers are generally 5 seconds. 

Q. Why would connection_attempt event kick in after 36 minutes and 6 seconds ? (
06:13:48 - 05:37:42 ) ? 

I have a pcap to share if anyone is interested and replicate on their end.

Aashish 

___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

Re: [Bro-Dev] Overload Bro Events

2018-04-12 Thread Robin Sommer 


On Thu, Apr 12, 2018 at 14:44 -0500, you wrote:

> > event overload%(c: connection%);
> > event overload%(c: connection, h: header%);
> > event overload%(c: connection, h: header, d: data%);
> 
> Overloading is not supported for functions in general (function/event/hook).

This has interesting implication for BIT-1431: if overloading worked
work, that could take the place of the  attribute suggested
there.

Robin

-- 
Robin Sommer * ICSI/LBNL * ro...@icir.org * www.icir.org/robin
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

Re: [Bro-Dev] Overload Bro Events

2018-04-12 Thread Jon Siwek 


On 4/12/18 2:23 PM, DW wrote:
> Hello,
> 
> it is possible to overload events in Bro based on the event-parameter
> and trigger the "right" event based on the given parameter?
> 
> E.g. I would define events like this
> 
> event overload%(c: connection%);
> event overload%(c: connection, h: header%);
> event overload%(c: connection, h: header, d: data%);

Overloading is not supported for functions in general (function/event/hook).

- Jon
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] Overload Bro Events

2018-04-12 Thread DW 
Hello,

it is possible to overload events in Bro based on the event-parameter 
and trigger the "right" event based on the given parameter?

E.g. I would define events like this

event overload%(c: connection%);
event overload%(c: connection, h: header%);
event overload%(c: connection, h: header, d: data%);
...

In the protocol parser source:

...
EventHandlerPtr ev = overload;
val_list* vl = new val_list();

switch(type) {
     case 1:
         vl->append(BuildConnVal());
     case 2:
         vl->append(BuildConnVal());
         vl->append(header);
     case 3:
         vl->append(BuildConnVal());
         vl->append(header);
         vl->append(data);
}
ConnectionEvent(ev, vl);


Dane

___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev