Add an example of a GridFTP data channel detection script.

It relies on the heuristics of GridFTP data channels commonly default to SSL mutual authentication with a NULL bulk cipher and that they usually transfer large datasets (default threshold of script is 1 GB). The script also defaults to skip_further_processing() after detection to try to save cycles analyzing the large, benign connection. Also added a script in base/protocols/conn/polling that generalizes the process of polling a connection for interesting features. The GridFTP data channel detection script depends on it to monitor bytes transferred.
2025-10-09 18:18:19 +00:00 · 2012-10-01 12:32:24 -05:00 · 2012-10-01 12:32:24 -05:00 · 68aead024a
commit 68aead024a
parent 474ab86b9c
9 changed files with 182 additions and 0 deletions
--- a/scripts/base/protocols/conn/load.bro
+++ b/scripts/base/protocols/conn/load.bro
@ -1,3 +1,4 @@
@load ./main
@load ./contents
@load ./inactivity
+@load ./polling
--- a/scripts/base/protocols/conn/polling.bro
+++ b/scripts/base/protocols/conn/polling.bro
@ -0,0 +1,51 @@
+##! Implements a generic way to poll connections looking for certain features
+##! (e.g. monitor bytes transferred).  The specific feature of a connection
+##! to look for, the polling interval, and the code to execute if the feature
+##! is found are all controlled by user-defined callback functions.
+
+module ConnPolling;
+
+export {
+	## Starts monitoring a given connection.
+	##
+	## c: The connection to watch.
+	##
+	## callback: A callback function that takes as arguments the monitored
+	##           *connection*, and counter *cnt* that increments each time the
+	##           callback is called.  It returns an interval indicating how long
+	##           in the future to schedule an event which will call the
+	##           callback.  A negative return interval causes polling to stop.
+	##
+	## cnt: The initial value of a counter which gets passed to *callback*.
+	##
+	## i: The initial interval at which to schedule the next callback.
+	##    May be ``0secs`` to poll right away.
+	global watch: function(
+	                c: connection,
+	                callback: function(c: connection, cnt: count): interval,
+	                cnt: count,
+	                i: interval);
+}
+
+event ConnPolling::check(
+  c: connection,
+  callback: function(c: connection, cnt: count): interval,
+  cnt: count)
+	{
+	if ( ! connection_exists(c$id) ) return;
+
+	lookup_connection(c$id); # updates the conn val
+
+	local next_interval = callback(c, cnt);
+	if ( next_interval < 0secs ) return;
+	watch(c, callback, cnt + 1, next_interval);
+	}
+
+function watch(
+  c: connection,
+  callback: function(c: connection, cnt: count): interval,
+  cnt: count,
+  i: interval)
+	{
+	schedule i { ConnPolling::check(c, callback, cnt) };
+	}