Connection Burst Identification

This package identifies "bursting connections" which are considered to be connections which transfer a large amount of data quickly. Once a bursty connection is identified it is no longer watched for being bursty.

When a bursty connection is identified, the event ConnBurst::detected is generated and a log is written to a log stream named conn_burst.


bro-pkg refresh
bro-pkg install bro/corelight/conn-burst


There are a couple of configuration options that might have an impact on analysis and detection.

ConnBurst::speed_threshold - This is a double value defined in Mbps and it means that you consider a bursty connection on your network to be one that is transferring data faster than this rate. The default speed threshold is 50Mbps.

ConnBurst::size_threshold - This is a double value defined in MB and it means that you'd like a minimum of this much traffic transferred before the transfer rate of the connection is tested. This avoids identifying a small connection that happens to tranfer data quickly as bursty since it's likely that a small and fast connection doesn't really matter that much to your analysis. The default size threshold is 100MB.


When a connection burst is detected, it will generate the following event. You can copy and paste this into your script if you want to do something based on a connection bursting.

event ConnBurst::detected(c: connection, rate_in_mbps: double)
	# Do something here!


Thanks to Robin Sommer for the initial discussion on how to approach this problem efficiently. Also, thanks to Aashish Sharma and Keith Lehigh for prerelease testing and fixing a few bugs!


Package Version :