Some scripts for collecting connection stats and "app" stats.

- App stats are considered stats for applications on the internet. Services like facebook, youtube, etc.
2025-10-16 13:38:19 +00:00 · 2012-03-28 15:52:20 -04:00 · 2012-03-28 15:52:20 -04:00 · df6a180023
commit df6a180023
parent 47f58e6340
2 changed files with 96 additions and 0 deletions
--- a/scripts/policy/misc/app-metrics.bro
+++ b/scripts/policy/misc/app-metrics.bro
@ -0,0 +1,75 @@
+@load base/protocols/http
+@load base/protocols/ssl
+
+@load base/frameworks/metrics
+
+module AppMetrics;
+
+event bro_init() &priority=3
+	{
+	Metrics::add_filter("apps.bytes", [$break_interval=1hr]);
+	Metrics::add_filter("apps.views", [$break_interval=1hr]);
+	Metrics::add_filter("apps.users", [$break_interval=1hr]);
+	}
+
+function do_metric(id: conn_id, hostname: string, size: count)
+	{
+	if ( /youtube/ in hostname && size > 512*1024 ) 
+		{
+		Metrics::add_data("apps.bytes", [$str="youtube"], size);
+		Metrics::add_data("apps.views", [$str="youtube"], 1);
+		Metrics::add_unique("apps.users", [$str="youtube"], cat(id$orig_h));
+		}
+	else if ( /facebook.com|fbcdn.net/ in hostname && size > 20 )
+		{
+		Metrics::add_data("apps.bytes", [$str="facebook"], size);
+		Metrics::add_data("apps.views", [$str="facebook"], 1);
+		Metrics::add_unique("apps.users", [$str="facebook"], cat(id$orig_h));
+		}
+	else if ( /google.com/ in hostname && size > 20 ) 
+		{
+		Metrics::add_data("apps.bytes", [$str="google"], size);
+		Metrics::add_data("apps.views", [$str="google"], 1);
+		Metrics::add_unique("apps.users", [$str="google"], cat(id$orig_h));
+		}
+	else if ( /nflximg.com/ in hostname && size > 200*1024 ) 
+		{
+		Metrics::add_data("apps.bytes", [$str="netflix"], size);
+		Metrics::add_data("apps.views", [$str="netflix"], 1);
+		Metrics::add_unique("apps.users", [$str="netflix"], cat(id$orig_h));
+		}
+	else if ( /pandora.com/ in hostname && size > 512*1024 )
+		{
+		Metrics::add_data("apps.bytes", [$str="pandora"], size);
+		Metrics::add_data("apps.views", [$str="pandora"], 1);
+		Metrics::add_unique("apps.users", [$str="pandora"], cat(id$orig_h));
+		}
+	else if ( /gmail.com/ in hostname && size > 20 )
+		{
+		Metrics::add_data("apps.bytes", [$str="gmail"], size);
+		Metrics::add_data("apps.views", [$str="gmail"], 1);
+		Metrics::add_unique("apps.users", [$str="gmail"], cat(id$orig_h));
+		}
+}
+
+redef record connection += {
+	resp_hostname: string &optional;
+};
+
+event ssl_established(c: connection)
+	{
+	if ( c?$ssl && c$ssl?$server_name )
+		c$resp_hostname = c$ssl$server_name;
+	}
+
+event connection_finished(c: connection)
+	{
+	if ( c?$resp_hostname )
+		do_metric(c$id, c$resp_hostname, c$resp$num_bytes_ip);
+	}
+
+event HTTP::log_http(rec: HTTP::Info)
+	{
+	if( rec?$host )
+		do_metric(rec$id, rec$host, rec$response_body_len);
+	}
--- a/scripts/policy/protocols/conn/metrics.bro
+++ b/scripts/policy/protocols/conn/metrics.bro
@ -0,0 +1,21 @@
+@load base/frameworks/metrics
+
+event bro_init() &priority=3
+	{
+	Metrics::add_filter("conns.country", [$break_interval=1hr]);
+	Metrics::add_filter("hosts.active", [$break_interval=1hr]);
+	}
+
+event connection_established(c: connection) &priority=3
+	{
+	if ( Site::is_local_addr(c$id$orig_h) )
+		{
+		local loc = lookup_location(c$id$resp_h);
+		if ( loc?$country_code )
+			Metrics::add_data("conns.country", [$str=loc$country_code], 1);
+		}
+		
+	local the_host = Site::is_local_addr(c$id$orig_h) ? c$id$orig_h : c$id$resp_h;
+	# There is no index for this.
+	Metrics::add_unique("hosts.active", [], cat(the_host));
+	}