corelight / zeek-long-connections Goto Github PK
View Code? Open in Web Editor NEWZeek package for tracking long connections to report them before they have completed.
License: BSD 3-Clause "New" or "Revised" License
zeek-long-connections's People
Contributors
Stargazers
Watchers
Forkers
yikez978 chungmin99 broforks andr6 rahmiy awesome-security triplekill c0ntr07 tellnol437 bcp-infosec-repo blue-infosec barberalec ng-isa fullmetalcache justinazoff mohan-dhawan pauldokas j0ej0h awelzel mabidm-tsinghua grigorescuzeek-long-connections's Issues
[FEATURE REQUEST] Add ability to fire notices only for specific subnets
In order to weed out the noise of enabling notices for all long connections and focus in on the high priority/sensitivity networks where long connections may be a big red flag, having the ability to only enable notices for specific subnets would be an amazing feature to add to this already great bro package. Thank you!
No conn_long entries for idle connections
When configuring this package with:
redef LongConnections::default_durations=LongConnection::Durations(5sec);
redef LongConnection::repeat_last_duration = T;
Initial expectation was that a hanging nc -4 localhost 8080 to a nc -l -p 8080 would produce a conn_long entries 5 seconds after connection establishment, repeating every 5 seconds in conn_long until Zeek times out the connection due to inactivity.
However, because there's no packets for the connection flowing, it's c$duration field is not updated and so there's not a single conn_long entry created for it, just one conn.log entry with "duration":0.00007796287536621094".
Wonder if the callback should compute "an assumed duration" of the connection at the time of the callback instead of relying on c$duration that may be stale, or whether that's just a corner-case that doesn't matter.
local duration = network_time() - c$start_time;
Actual Durations Far Exceed Thresholds
Current Behavior
In looking at the notice.log file, I observed that the time shown in "...remained alive for longer than ..." seemed to far exceed the duration thresholds that I was setting. In some cases, the actual duration was almost double the threshold.
My theory is that there is a quirk with the polling times that causes the initial duration to be exceeded. After that, subsequent duration values are exceeded because the next polling time is set to the next duration in the list. This means if I set duration thresholds of 1min, 2min, 3min, then the following will be the actual alerting times:
alert1_time > 1min
alert2_time > alert1_time + 2min
alert3_time > alert2_time + 3min
So in this example, alert3_time won't occur until at least 5 minutes later for a given connection rather than occurring after 3 minutes. If you have duration thresholds in the hours or days, you can see where this might cause some issues.
Desired Behavior
The actual duration of the connections should be close to the thresholds that are set.
I have a simple, suggested fix that seems to address this issue. A quick eyeballing of "top" output shows it doesn't appear to increase system demand from zeek. I will issue a poll request in just a moment.
Possible memory leak
We have noticed that with this script in some enviroments we are getting a memory leak for bro/zeek.
We have noticed that in some case, when there are a lot of long/persistent connections, bro/zeek makes our server swap and then crashes.
Test suite fails with v1.3.0
Among other work #11 removed testing/random.seed. Due to that the test suite does not run anymore.
$ btest -dj
[ 0%] tests.defaults ... failed
[ 12%] tests.different_durations ... failed
[ 25%] tests.different_durations_2 ... failed
[ 37%] tests.different_durations_dont_repeat ... failed
[ 50%] tests.special_durations ... failed
% 'zeek -C -r $TRACES/long_connection.pcap ../../../scripts /private/tmp/zeek-long-connections/testing/.tmp/tests.defaults/defaults.zeek' failed unexpectedly (exit code 1)
% cat .stderr
fatal error: Could not load seeds from file '/private/tmp/zeek-long-connections/testing/random.seed'.
[ 62%] tests.event ... failed
[ 75%] tests.different_durations_no_repeat ... failed
% 'zeek -C -r $TRACES/long_connection.pcap ../../../scripts /private/tmp/zeek-long-connections/testing/.tmp/tests.different_durations/different_durations.zeek' failed unexpectedly (exit code 1)
% cat .stderr
fatal error: Could not load seeds from file '/private/tmp/zeek-long-connections/testing/random.seed'.
% 'zeek -C -r $TRACES/long_connection.pcap ../../../scripts /private/tmp/zeek-long-connections/testing/.tmp/tests.different_durations_2/different_durations_2.zeek' failed unexpectedly (exit code 1)
% cat .stderr
fatal error: Could not load seeds from file '/private/tmp/zeek-long-connections/testing/random.seed'.
% 'zeek -C -r $TRACES/long_connection.pcap ../../../scripts /private/tmp/zeek-long-connections/testing/.tmp/tests.different_durations_dont_repeat/different_durations_dont_repeat.zeek' failed unexpectedly (exit code 1)
% cat .stderr
fatal error: Could not load seeds from file '/private/tmp/zeek-long-connections/testing/random.seed'.
[ 87%] tests.different_durations_no_notice ... failed
% 'zeek -C -r $TRACES/long_connection.pcap ../../../scripts /private/tmp/zeek-long-connections/testing/.tmp/tests.different_durations_no_notice/different_durations_no_notice.zeek' failed unexpectedly (exit code 1)
% cat .stderr
fatal error: Could not load seeds from file '/private/tmp/zeek-long-connections/testing/random.seed'.
% 'zeek -C -r $TRACES/long_connection.pcap ../../../scripts /private/tmp/zeek-long-connections/testing/.tmp/tests.different_durations_no_repeat/different_durations_no_repeat.zeek' failed unexpectedly (exit code 1)
% cat .stderr
fatal error: Could not load seeds from file '/private/tmp/zeek-long-connections/testing/random.seed'.
% 'zeek -Cr $TRACES/long_connection.pcap ../../../scripts /private/tmp/zeek-long-connections/testing/.tmp/tests.event/event.zeek > output' failed unexpectedly (exit code 1)
% cat .stderr
fatal error: Could not load seeds from file '/private/tmp/zeek-long-connections/testing/random.seed'.
% 'zeek -C -r $TRACES/long_connection.pcap ../../../scripts /private/tmp/zeek-long-connections/testing/.tmp/tests.special_durations/special_durations.zeek' failed unexpectedly (exit code 1)
% cat .stderr
fatal error: Could not load seeds from file '/private/tmp/zeek-long-connections/testing/random.seed'.
8 of 8 tests failed
This e.g., also means that v1.3.0 cannot be installed with zkg unless --skiptests is given.
If I copy e.g., the random.seed from Zeek's share/btest/data/random.seed to testing/random.seed, the test suite passes again.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.