From df6a1800233721b78c8ca8c5ac720a5cea8390cf Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Wed, 28 Mar 2012 15:52:20 -0400 Subject: [PATCH] Some scripts for collecting connection stats and "app" stats. - App stats are considered stats for applications on the internet. Services like facebook, youtube, etc. --- scripts/policy/misc/app-metrics.bro | 75 +++++++++++++++++++++++ scripts/policy/protocols/conn/metrics.bro | 21 +++++++ 2 files changed, 96 insertions(+) create mode 100644 scripts/policy/misc/app-metrics.bro create mode 100644 scripts/policy/protocols/conn/metrics.bro diff --git a/scripts/policy/misc/app-metrics.bro b/scripts/policy/misc/app-metrics.bro new file mode 100644 index 0000000000..40b8264233 --- /dev/null +++ b/scripts/policy/misc/app-metrics.bro @@ -0,0 +1,75 @@ +@load base/protocols/http +@load base/protocols/ssl + +@load base/frameworks/metrics + +module AppMetrics; + +event bro_init() &priority=3 + { + Metrics::add_filter("apps.bytes", [$break_interval=1hr]); + Metrics::add_filter("apps.views", [$break_interval=1hr]); + Metrics::add_filter("apps.users", [$break_interval=1hr]); + } + +function do_metric(id: conn_id, hostname: string, size: count) + { + if ( /youtube/ in hostname && size > 512*1024 ) + { + Metrics::add_data("apps.bytes", [$str="youtube"], size); + Metrics::add_data("apps.views", [$str="youtube"], 1); + Metrics::add_unique("apps.users", [$str="youtube"], cat(id$orig_h)); + } + else if ( /facebook.com|fbcdn.net/ in hostname && size > 20 ) + { + Metrics::add_data("apps.bytes", [$str="facebook"], size); + Metrics::add_data("apps.views", [$str="facebook"], 1); + Metrics::add_unique("apps.users", [$str="facebook"], cat(id$orig_h)); + } + else if ( /google.com/ in hostname && size > 20 ) + { + Metrics::add_data("apps.bytes", [$str="google"], size); + Metrics::add_data("apps.views", [$str="google"], 1); + Metrics::add_unique("apps.users", [$str="google"], cat(id$orig_h)); + } + else if ( /nflximg.com/ in hostname && size > 200*1024 ) + { + Metrics::add_data("apps.bytes", [$str="netflix"], size); + Metrics::add_data("apps.views", [$str="netflix"], 1); + Metrics::add_unique("apps.users", [$str="netflix"], cat(id$orig_h)); + } + else if ( /pandora.com/ in hostname && size > 512*1024 ) + { + Metrics::add_data("apps.bytes", [$str="pandora"], size); + Metrics::add_data("apps.views", [$str="pandora"], 1); + Metrics::add_unique("apps.users", [$str="pandora"], cat(id$orig_h)); + } + else if ( /gmail.com/ in hostname && size > 20 ) + { + Metrics::add_data("apps.bytes", [$str="gmail"], size); + Metrics::add_data("apps.views", [$str="gmail"], 1); + Metrics::add_unique("apps.users", [$str="gmail"], cat(id$orig_h)); + } +} + +redef record connection += { + resp_hostname: string &optional; +}; + +event ssl_established(c: connection) + { + if ( c?$ssl && c$ssl?$server_name ) + c$resp_hostname = c$ssl$server_name; + } + +event connection_finished(c: connection) + { + if ( c?$resp_hostname ) + do_metric(c$id, c$resp_hostname, c$resp$num_bytes_ip); + } + +event HTTP::log_http(rec: HTTP::Info) + { + if( rec?$host ) + do_metric(rec$id, rec$host, rec$response_body_len); + } diff --git a/scripts/policy/protocols/conn/metrics.bro b/scripts/policy/protocols/conn/metrics.bro new file mode 100644 index 0000000000..910ae4aa6e --- /dev/null +++ b/scripts/policy/protocols/conn/metrics.bro @@ -0,0 +1,21 @@ +@load base/frameworks/metrics + +event bro_init() &priority=3 + { + Metrics::add_filter("conns.country", [$break_interval=1hr]); + Metrics::add_filter("hosts.active", [$break_interval=1hr]); + } + +event connection_established(c: connection) &priority=3 + { + if ( Site::is_local_addr(c$id$orig_h) ) + { + local loc = lookup_location(c$id$resp_h); + if ( loc?$country_code ) + Metrics::add_data("conns.country", [$str=loc$country_code], 1); + } + + local the_host = Site::is_local_addr(c$id$orig_h) ? c$id$orig_h : c$id$resp_h; + # There is no index for this. + Metrics::add_unique("hosts.active", [], cat(the_host)); + }