mirror of
https://github.com/zeek/zeek.git
synced 2025-10-05 08:08:19 +00:00
Merge remote-tracking branch 'origin/topic/seth/metrics-merge'
* origin/topic/seth/metrics-merge: (70 commits) Added protocol to the traceroute detection script. Added an automatic state limiter for threshold based SumStats. Removed some dead code in scan.bro Renamed a plugin hook in sumstats framework. Move loading variance back to where it should be alphabetically. Fix a bug with path building in FTP. Came up when changing the path utils. Fix a few tests. SumStats test checkpoint. SumStats tests pass. Checkpoint for SumStats rename. Fix another occasional reporter error. Small updates to hopefully correct reporter errors leading to lost memory. Trying to fix a state maintenance issue. Updating DocSourcesList Updated FTP bruteforce detection and a few other small changes. Test updates and cleanup. Fixed the measurement "sample" plugin. Fix path compression to include removing "/./". Removed the example metrics scripts. Better real world examples exist now. Measurement framework is ready for testing. ...
This commit is contained in:
Robin Sommer
commit
1e40a2f88c
62 changed files with 2388 additions and 1278 deletions
|
|
@ -1,25 +0,0 @@
|
|||
##! An example of using the metrics framework to collect connection metrics
|
||||
##! aggregated into /24 CIDR ranges.
|
||||
|
||||
@load base/frameworks/metrics
|
||||
@load base/utils/site
|
||||
|
||||
redef enum Metrics::ID += {
|
||||
CONNS_ORIGINATED,
|
||||
CONNS_RESPONDED
|
||||
};
|
||||
|
||||
event bro_init()
|
||||
{
|
||||
Metrics::add_filter(CONNS_ORIGINATED, [$aggregation_mask=24, $break_interval=1mins]);
|
||||
|
||||
# Site::local_nets must be defined in order for this to actually do anything.
|
||||
Metrics::add_filter(CONNS_RESPONDED, [$aggregation_table=Site::local_nets_table, $break_interval=1mins]);
|
||||
}
|
||||
|
||||
event connection_established(c: connection)
|
||||
{
|
||||
Metrics::add_data(CONNS_ORIGINATED, [$host=c$id$orig_h], 1);
|
||||
Metrics::add_data(CONNS_RESPONDED, [$host=c$id$resp_h], 1);
|
||||
}
|
||||
|
||||
|
|
@ -1,37 +0,0 @@
|
|||
##! Provides an example of aggregating and limiting collection down to
|
||||
##! only local networks. Additionally, the status code for the response from
|
||||
##! the request is added into the metric.
|
||||
|
||||
@load base/frameworks/metrics
|
||||
@load base/protocols/http
|
||||
@load base/utils/site
|
||||
|
||||
redef enum Metrics::ID += {
|
||||
## Measures HTTP requests indexed on both the request host and the response
|
||||
## code from the server.
|
||||
HTTP_REQUESTS_BY_STATUS_CODE,
|
||||
|
||||
## Currently unfinished and not working.
|
||||
HTTP_REQUESTS_BY_HOST_HEADER,
|
||||
};
|
||||
|
||||
event bro_init()
|
||||
{
|
||||
# TODO: these are waiting on a fix with table vals + records before they will work.
|
||||
#Metrics::add_filter(HTTP_REQUESTS_BY_HOST_HEADER,
|
||||
# [$pred(index: Metrics::Index) = { return Site::is_local_addr(index$host); },
|
||||
# $aggregation_mask=24,
|
||||
# $break_interval=1min]);
|
||||
|
||||
# Site::local_nets must be defined in order for this to actually do anything.
|
||||
Metrics::add_filter(HTTP_REQUESTS_BY_STATUS_CODE, [$aggregation_table=Site::local_nets_table,
|
||||
$break_interval=1min]);
|
||||
}
|
||||
|
||||
event HTTP::log_http(rec: HTTP::Info)
|
||||
{
|
||||
if ( rec?$host )
|
||||
Metrics::add_data(HTTP_REQUESTS_BY_HOST_HEADER, [$str=rec$host], 1);
|
||||
if ( rec?$status_code )
|
||||
Metrics::add_data(HTTP_REQUESTS_BY_STATUS_CODE, [$host=rec$id$orig_h, $str=fmt("%d", rec$status_code)], 1);
|
||||
}
|
||||
|
|
@ -1,28 +0,0 @@
|
|||
##! Provides an example of using the metrics framework to collect the number
|
||||
##! of times a specific server name indicator value is seen in SSL session
|
||||
##! establishments. Names ending in google.com are being filtered out as an
|
||||
##! example of the predicate based filtering in metrics filters.
|
||||
|
||||
@load base/frameworks/metrics
|
||||
@load base/protocols/ssl
|
||||
|
||||
redef enum Metrics::ID += {
|
||||
SSL_SERVERNAME,
|
||||
};
|
||||
|
||||
event bro_init()
|
||||
{
|
||||
Metrics::add_filter(SSL_SERVERNAME,
|
||||
[$name="no-google-ssl-servers",
|
||||
$pred(index: Metrics::Index) = {
|
||||
return (/google\.com$/ !in index$str);
|
||||
},
|
||||
$break_interval=10secs
|
||||
]);
|
||||
}
|
||||
|
||||
event SSL::log_ssl(rec: SSL::Info)
|
||||
{
|
||||
if ( rec?$server_name )
|
||||
Metrics::add_data(SSL_SERVERNAME, [$str=rec$server_name], 1);
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue