Add rate-limiting sampling mechanism for weird events

The generation of weird events, by default, are now rate-limited according to these tunable options: - Weird::sampling_whitelist - Weird::sampling_threshold - Weird::sampling_rate - Weird::sampling_duration The new get_reporter_stats() BIF also allows one to query the total number of weirds generated (pre-sampling) which the new policy/misc/weird-stats.bro script uses periodically to populate a weird_stats.log. There's also new reporter BIFs to allow generating weirds from the script-layer such that they go through the same, internal rate-limiting/sampling mechanisms: - Reporter::conn_weird - Reporter::flow_weird - Reporter::net_weird Some of the code was adapted from previous work by Johanna Amann.
2025-10-07 09:08:20 +00:00 · 2018-07-26 19:57:36 -05:00 · 2018-07-26 19:57:36 -05:00 · 35827eeb31
commit 35827eeb31
parent e60b0bfb25
25 changed files with 1037 additions and 10 deletions
--- a/src/Timer.h
+++ b/src/Timer.h
@ -23,12 +23,14 @@ enum TimerType {
 	TIMER_CONN_STATUS_UPDATE,
 	TIMER_DNS_EXPIRE,
 	TIMER_FILE_ANALYSIS_INACTIVITY,
+	TIMER_FLOW_WEIRD_EXPIRE,
 	TIMER_FRAG,
 	TIMER_INCREMENTAL_SEND,
 	TIMER_INCREMENTAL_WRITE,
 	TIMER_INTERCONN,
 	TIMER_IP_TUNNEL_INACTIVITY,
 	TIMER_NB_EXPIRE,
+	TIMER_NET_WEIRD_EXPIRE,
 	TIMER_NETWORK,
 	TIMER_NTP_EXPIRE,
 	TIMER_PROFILE,