Add rate-limiting sampling mechanism for weird events

The generation of weird events, by default, are now rate-limited according to these tunable options: - Weird::sampling_whitelist - Weird::sampling_threshold - Weird::sampling_rate - Weird::sampling_duration The new get_reporter_stats() BIF also allows one to query the total number of weirds generated (pre-sampling) which the new policy/misc/weird-stats.bro script uses periodically to populate a weird_stats.log. There's also new reporter BIFs to allow generating weirds from the script-layer such that they go through the same, internal rate-limiting/sampling mechanisms: - Reporter::conn_weird - Reporter::flow_weird - Reporter::net_weird Some of the code was adapted from previous work by Johanna Amann.
2025-10-08 17:48:21 +00:00 · 2018-07-26 19:57:36 -05:00 · 2018-07-26 19:57:36 -05:00 · 35827eeb31
commit 35827eeb31
parent e60b0bfb25
25 changed files with 1037 additions and 10 deletions
--- a/scripts/base/protocols/http/main.bro
+++ b/scripts/base/protocols/http/main.bro
@ -199,7 +199,7 @@ event http_request(c: connection, method: string, original_URI: string,
 	c$http$uri = unescaped_URI;

 	if ( method !in http_methods )
-		event conn_weird("unknown_HTTP_method", c, method);
+		Reporter::conn_weird("unknown_HTTP_method", c, method);
 	}

 event http_reply(c: connection, version: string, code: count, reason: string) &priority=5