diff --git a/scripts/base/frameworks/metrics/main.bro b/scripts/base/frameworks/metrics/main.bro index 48f11ef7f7..8d7ea26bc7 100644 --- a/scripts/base/frameworks/metrics/main.bro +++ b/scripts/base/frameworks/metrics/main.bro @@ -71,6 +71,9 @@ export { ## The time when this result was first started. begin: time &log; + ## The time when the last value was added to this result. + end: time &log; + ## The number of measurements received. num: count &log &default=0; @@ -277,6 +280,12 @@ function merge_result_vals(rv1: ResultVal, rv2: ResultVal): ResultVal { local result: ResultVal; + # Merge $begin (take the earliest one) + result$begin = rv1$begin < rv2$begin ? rv1$begin : rv2$begin; + + # Merge $end (take the latest one) + result$end = rv1$end > rv2$end ? rv1$end : rv2$end; + # Merge $num result$num = rv1$num + rv2$num; @@ -442,7 +451,7 @@ function add_data(id: string, index: Index, data: DataPoint) local metric_tbl = store[id, filter$name]; if ( index !in metric_tbl ) - metric_tbl[index] = [$begin=network_time()]; + metric_tbl[index] = [$begin=network_time(), $end=network_time()]; local result = metric_tbl[index]; @@ -452,6 +461,8 @@ function add_data(id: string, index: Index, data: DataPoint) val = data?$dbl ? data$dbl : data$num; ++result$num; + # Continually update the $end field. + result$end=network_time(); if ( filter?$samples && filter$samples > 0 && data?$str ) { diff --git a/scripts/policy/misc/scan.bro b/scripts/policy/misc/scan.bro index decc34c894..42350bbe77 100644 --- a/scripts/policy/misc/scan.bro +++ b/scripts/policy/misc/scan.bro @@ -51,7 +51,7 @@ function check_addr_scan_threshold(index: Metrics::Index, val: Metrics::ResultVa function addr_scan_threshold_crossed(index: Metrics::Index, val: Metrics::ResultVal) { local side = Site::is_local_addr(index$host) ? "local" : "remote"; - local message=fmt("%s scanned %d unique hosts on port %s", index$host, val$unique, index$str); + local message=fmt("%s scanned %d unique hosts on port %s in %s", index$host, val$unique, index$str, val$end-val$begin); NOTICE([$note=Address_Scan, $src=index$host, @@ -64,7 +64,7 @@ function addr_scan_threshold_crossed(index: Metrics::Index, val: Metrics::Result function port_scan_threshold_crossed(index: Metrics::Index, val: Metrics::ResultVal) { local side = Site::is_local_addr(index$host) ? "local" : "remote"; - local message = fmt("%s scanned %d unique ports of host %s", index$host, val$unique, index$str); + local message = fmt("%s scanned %d unique ports of host %s in %s", index$host, val$unique, index$str, val$end-val$begin); NOTICE([$note=Port_Scan, $src=index$host, diff --git a/testing/btest/Baseline/scripts.base.frameworks.metrics.basic-cluster/manager-1.metrics.log b/testing/btest/Baseline/scripts.base.frameworks.metrics.basic-cluster/manager-1.metrics.log index e6c33719aa..98794673f1 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.metrics.basic-cluster/manager-1.metrics.log +++ b/testing/btest/Baseline/scripts.base.frameworks.metrics.basic-cluster/manager-1.metrics.log @@ -3,10 +3,10 @@ #empty_field (empty) #unset_field - #path metrics -#open 2012-11-20-06-46-51 -#fields ts ts_delta filter_name metric index.str index.host index.network result.begin result.num result.sum result.min result.max result.avg result.variance result.std_dev result.unique -#types time interval string string string addr subnet time count double double double double double double count -1353394011.192622 3.000000 default test.metric - 6.5.4.3 - - 2 6.0 1.0 5.0 3.0 4.0 2.0 - -1353394011.192622 3.000000 default test.metric - 1.2.3.4 - - 9 437.0 3.0 95.0 48.555556 674.469136 25.970544 - -1353394011.192622 3.000000 default test.metric - 7.2.1.5 - - 2 145.0 54.0 91.0 72.5 342.25 18.5 - -#close 2012-11-20-06-46-51 +#open 2012-12-04-15-53-23 +#fields ts ts_delta filter_name metric index.str index.host index.network result.begin result.end result.num result.sum result.min result.max result.avg result.variance result.std_dev result.unique +#types time interval string string string addr subnet time time count double double double double double double count +1354636403.682565 3.000000 default test.metric - 6.5.4.3 - 1354636401.774655 1354636401.782720 2 6.0 1.0 5.0 3.0 4.0 2.0 - +1354636403.682565 3.000000 default test.metric - 1.2.3.4 - 1354636401.774655 1354636401.782720 9 437.0 3.0 95.0 48.555556 674.469136 25.970544 - +1354636403.682565 3.000000 default test.metric - 7.2.1.5 - 1354636401.774655 1354636401.782720 2 145.0 54.0 91.0 72.5 342.25 18.5 - +#close 2012-12-04-15-53-23 diff --git a/testing/btest/Baseline/scripts.base.frameworks.metrics.basic/metrics.log b/testing/btest/Baseline/scripts.base.frameworks.metrics.basic/metrics.log index 784d6d7920..63bf7c95fb 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.metrics.basic/metrics.log +++ b/testing/btest/Baseline/scripts.base.frameworks.metrics.basic/metrics.log @@ -3,10 +3,10 @@ #empty_field (empty) #unset_field - #path metrics -#open 2012-11-20-15-05-07 -#fields ts ts_delta filter_name metric index.str index.host index.network result.begin result.num result.sum result.min result.max result.avg result.variance result.std_dev result.unique -#types time interval string string string addr subnet time count double double double double double double count -1353423907.236002 3.000000 foo-bar test.metric - 6.5.4.3 - 1353423907.236002 1 2.0 2.0 2.0 2.0 0.0 0.0 - -1353423907.236002 3.000000 foo-bar test.metric - 1.2.3.4 - 1353423907.236002 5 221.0 5.0 94.0 44.2 915.36 30.254917 - -1353423907.236002 3.000000 foo-bar test.metric - 7.2.1.5 - 1353423907.236002 1 1.0 1.0 1.0 1.0 0.0 0.0 - -#close 2012-11-20-15-05-07 +#open 2012-12-04-15-55-13 +#fields ts ts_delta filter_name metric index.str index.host index.network result.begin result.end result.num result.sum result.min result.max result.avg result.variance result.std_dev result.unique +#types time interval string string string addr subnet time time count double double double double double double count +1354636513.492214 3.000000 foo-bar test.metric - 6.5.4.3 - 1354636513.492214 1354636513.492214 1 2.0 2.0 2.0 2.0 0.0 0.0 - +1354636513.492214 3.000000 foo-bar test.metric - 1.2.3.4 - 1354636513.492214 1354636513.492214 5 221.0 5.0 94.0 44.2 915.36 30.254917 - +1354636513.492214 3.000000 foo-bar test.metric - 7.2.1.5 - 1354636513.492214 1354636513.492214 1 1.0 1.0 1.0 1.0 0.0 0.0 - +#close 2012-12-04-15-55-13