Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-17 14:08:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Some test updates.

Browse source
This commit is contained in:
Seth Hall 2012-11-20 02:08:49 -05:00
parent 20fdd36a44
commit 08538211e1
13 changed files with 62 additions and 63 deletions
Download patch file Download diff file Expand all files Collapse all files

3
scripts/policy/protocols/conn/conn-stats-per-host.bro
View file

@ -1,4 +1,7 @@
@load base/protocols/conn
@load base/frameworks/metrics
event bro_init() &priority=5
{
Metrics::add_filter("conn.orig.data",

9
scripts/policy/protocols/conn/metrics.bro
View file

@ -1,9 +1,10 @@
@load base/frameworks/metrics
@load base/utils/site
event bro_init() &priority=3
{
Metrics::add_filter("conns.country", [$break_interval=1hr]);
Metrics::add_filter("hosts.active", [$break_interval=1hr]);
Metrics::add_filter("conns.country", [$every=1hr, $measure=set(Metrics::SUM)]);
Metrics::add_filter("hosts.active", [$every=1hr, $measure=set(Metrics::SUM)]);
}
event connection_established(c: connection) &priority=3
@ -12,10 +13,10 @@ event connection_established(c: connection) &priority=3
{
local loc = lookup_location(c$id$resp_h);
if ( loc?$country_code )
Metrics::add_data("conns.country", [$str=loc$country_code], 1);
Metrics::add_data("conns.country", [$str=loc$country_code], [$num=1]);
}
local the_host = Site::is_local_addr(c$id$orig_h) ? c$id$orig_h : c$id$resp_h;
# There is no index for this.
Metrics::add_unique("hosts.active", [], cat(the_host));
Metrics::add_data("hosts.active", [], [$str=cat(the_host)]);
}

4
scripts/policy/protocols/conn/scan.bro
View file

@ -4,10 +4,12 @@
##! Seth Hall
##! All the authors of the old scan.bro
@load base/frameworks/notice
@load base/frameworks/metrics
module Scan;
export {
redef enum Notice::Type += {
AddressScan,
PortScan,

27
scripts/policy/protocols/smtp/metrics.bro
View file

@ -2,31 +2,36 @@
##! "How many unique 'MAIL FROM' addresses are being used by local mail servers per hour?"
##! "How much mail is being sent from each local mail server per hour?"
@load base/protocols/smtp
@load base/frameworks/metrics
@load base/utils/site
@load base/utils/directions-and-hosts
module SMTPMetrics;
export {
## Define the break intervals for all of the metrics collected and logged by this script.
const breaks = 1hr &redef;
const breaks=1hr &redef;
}
event bro_init() &priority=5
{
Metrics::add_filter("smtp.mailfrom", [$pred(index: Metrics::Index) = {
return addr_matches_host(index$host, LOCAL_HOSTS); },
$break_interval=breaks]);
Metrics::add_filter("smtp.messages", [$pred(index: Metrics::Index) = {
return addr_matches_host(index$host, LOCAL_HOSTS); },
$break_interval=breaks]);
Metrics::add_filter("smtp.mailfrom", [$every=breaks,
$measure=set(Metrics::SUM),
$pred(index: Metrics::Index, data: Metrics::DataPoint) = {
return addr_matches_host(index$host, LOCAL_HOSTS);
}]);
Metrics::add_filter("smtp.messages", [$every=breaks,
$measure=set(Metrics::SUM),
$pred(index: Metrics::Index, data: Metrics::DataPoint) = {
return addr_matches_host(index$host, LOCAL_HOSTS);
}]);
}
event SMTP::log_smtp(rec: SMTP::Info)
{
Metrics::add_data("smtp.messages", [$host=rec$id$orig_h], 1);
Metrics::add_data("smtp.messages", [$host=rec$id$orig_h], [$num=1]);
if ( rec?$mailfrom )
Metrics::add_unique("smtp.mailfrom", [$host=rec$id$orig_h], rec$mailfrom);
Metrics::add_data("smtp.mailfrom", [$host=rec$id$orig_h], [$str=rec$mailfrom]);
}