This package identifies "bursting connections" which are considered to be connections which transfer a large amount of data quickly. Once a bursty connection is identified it is no longer watched for being bursty.
When a bursty connection is identified, the event ConnBurst::detected is
generated and a log is written to a log stream named conn_burst.
bro-pkg refresh
bro-pkg install bro/corelight/conn-burst
There are a couple of configuration options that might have an impact on analysis and detection.
ConnBurst::speed_threshold - This is a double value defined in Mbps and
it means that you consider a bursty connection on your network to be one
that is transferring data faster than this rate. The default speed threshold
is 50Mbps.
ConnBurst::size_threshold - This is a double value defined in MB and it
means that you'd like a minimum of this much traffic transferred before the
transfer rate of the connection is tested. This avoids identifying a small
connection that happens to tranfer data quickly as bursty since it's likely
that a small and fast connection doesn't really matter that much to your
analysis. The default size threshold is 100MB.
When a connection burst is detected, it will generate the following event. You can copy and paste this into your script if you want to do something based on a connection bursting.
event ConnBurst::detected(c: connection, rate_in_mbps: double)
{
# Do something here!
}Thanks to Robin Sommer for the initial discussion on how to approach this problem efficiently. Also, thanks to Aashish Sharma and Keith Lehigh for prerelease testing and fixing a few bugs!
- Seth Hall seth@corelight.com