Skip to content
A Bro package to identify connections that are bursting (lots of data and transferring quickly).
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.

Connection Burst Identification

This package identifies "bursting connections" which are considered to be connections which transfer a large amount of data quickly. Once a bursty connection is identified it is no longer watched for being bursty.

When a bursty connection is identified, the event ConnBurst::detected is generated and a log is written to a log stream named conn_burst.


bro-pkg refresh
bro-pkg install bro/corelight/conn-burst


There are a couple of configuration options that might have an impact on analysis and detection.

ConnBurst::speed_threshold - This is a double value defined in Mbps and it means that you consider a bursty connection on your network to be one that is transferring data faster than this rate. The default speed threshold is 50Mbps.

ConnBurst::size_threshold - This is a double value defined in MB and it means that you'd like a minimum of this much traffic transferred before the transfer rate of the connection is tested. This avoids identifying a small connection that happens to tranfer data quickly as bursty since it's likely that a small and fast connection doesn't really matter that much to your analysis. The default size threshold is 100MB.


When a connection burst is detected, it will generate the following event. You can copy and paste this into your script if you want to do something based on a connection bursting.

event ConnBurst::detected(c: connection, rate_in_mbps: double)
	# Do something here!


Thanks to Robin Sommer for the initial discussion on how to approach this problem efficiently. Also, thanks to Aashish Sharma and Keith Lehigh for prerelease testing and fixing a few bugs!


You can’t perform that action at this time.