Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-13 03:58:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Updated the app-metrics script to the new metrics api.

Browse source 
- Inconsequential change to scan.bro.
This commit is contained in:
Seth Hall 2012-11-16 03:05:43 -05:00
parent e99e090b85
commit 257b460b18
2 changed files with 14 additions and 23 deletions
Download patch file Download diff file Expand all files Collapse all files

35
scripts/policy/misc/app-metrics.bro
View file

@ -12,48 +12,41 @@ export {
event bro_init() &priority=3
{
Metrics::add_filter("apps.bytes", [$break_interval=break_interval]);
Metrics::add_filter("apps.views", [$break_interval=break_interval]);
Metrics::add_filter("apps.users", [$break_interval=break_interval]);
Metrics::add_filter("apps.bytes", [$every=break_interval, $measure=set(Metrics::SUM)]);
Metrics::add_filter("apps.hits", [$every=break_interval, $measure=set(Metrics::SUM, Metrics::UNIQUE)]);
}
function do_metric(id: conn_id, hostname: string, size: count)
{
if ( /youtube/ in hostname && size > 512*1024 )
{
Metrics::add_data("apps.bytes", [$str="youtube"], size);
Metrics::add_data("apps.views", [$str="youtube"], 1);
Metrics::add_unique("apps.users", [$str="youtube"], cat(id$orig_h));
Metrics::add_data("apps.bytes", [$str="youtube"], [$num=size]);
Metrics::add_data("apps.hits", [$str="youtube"], [$str=cat(id$orig_h)]);
}
else if ( /facebook.com|fbcdn.net/ in hostname && size > 20 )
{
Metrics::add_data("apps.bytes", [$str="facebook"], size);
Metrics::add_data("apps.views", [$str="facebook"], 1);
Metrics::add_unique("apps.users", [$str="facebook"], cat(id$orig_h));
Metrics::add_data("apps.bytes", [$str="facebook"], [$num=size]);
Metrics::add_data("apps.hits", [$str="facebook"], [$str=cat(id$orig_h)]);
}
else if ( /google.com/ in hostname && size > 20 )
{
Metrics::add_data("apps.bytes", [$str="google"], size);
Metrics::add_data("apps.views", [$str="google"], 1);
Metrics::add_unique("apps.users", [$str="google"], cat(id$orig_h));
Metrics::add_data("apps.bytes", [$str="google"], [$num=size]);
Metrics::add_data("apps.hits", [$str="google"], [$str=cat(id$orig_h)]);
}
else if ( /nflximg.com/ in hostname && size > 200*1024 )
{
Metrics::add_data("apps.bytes", [$str="netflix"], size);
Metrics::add_data("apps.views", [$str="netflix"], 1);
Metrics::add_unique("apps.users", [$str="netflix"], cat(id$orig_h));
Metrics::add_data("apps.bytes", [$str="netflix"], [$num=size]);
Metrics::add_data("apps.hits", [$str="netflix"], [$str=cat(id$orig_h)]);
}
else if ( /pandora.com/ in hostname && size > 512*1024 )
{
Metrics::add_data("apps.bytes", [$str="pandora"], size);
Metrics::add_data("apps.views", [$str="pandora"], 1);
Metrics::add_unique("apps.users", [$str="pandora"], cat(id$orig_h));
Metrics::add_data("apps.bytes", [$str="pandora"], [$num=size]);
Metrics::add_data("apps.hits", [$str="pandora"], [$str=cat(id$orig_h)]);
}
else if ( /gmail.com/ in hostname && size > 20 )
{
Metrics::add_data("apps.bytes", [$str="gmail"], size);
Metrics::add_data("apps.views", [$str="gmail"], 1);
Metrics::add_unique("apps.users", [$str="gmail"], cat(id$orig_h));
Metrics::add_data("apps.bytes", [$str="gmail"], [$num=size]);
Metrics::add_data("apps.hits", [$str="gmail"], [$str=cat(id$orig_h)]);
}
}

2
scripts/policy/protocols/conn/scan.bro
View file

@ -282,7 +282,6 @@ event connection_reset(c: connection)
if ( is_failed_conn(c) )
{
is_scan = T;
is_reverse_scan = F;
}
else if ( is_reverse_failed_conn(c) )
{
@ -305,7 +304,6 @@ event connection_pending(c: connection)
if ( is_failed_conn(c) )
{
is_scan = T;
is_reverse_scan = F;
}
else if ( is_reverse_failed_conn(c) )
{