Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-16 05:28:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Adding an $end time for result values to measure the length of time a measurement took.

Browse source
This commit is contained in:
Seth Hall 2012-12-04 11:04:01 -05:00
parent d61d175a04
commit 3af4517e2a
4 changed files with 28 additions and 17 deletions
Download patch file Download diff file Expand all files Collapse all files

13
scripts/base/frameworks/metrics/main.bro
View file

@ -71,6 +71,9 @@ export {
## The time when this result was first started. ## The time when this result was first started.
begin: time &log; begin: time &log;
## The time when the last value was added to this result.
end: time &log;
## The number of measurements received. ## The number of measurements received.
num: count &log &default=0; num: count &log &default=0;
@ -277,6 +280,12 @@ function merge_result_vals(rv1: ResultVal, rv2: ResultVal): ResultVal
{ {
local result: ResultVal; local result: ResultVal;
# Merge $begin (take the earliest one)
result$begin = rv1$begin < rv2$begin ? rv1$begin : rv2$begin;
# Merge $end (take the latest one)
result$end = rv1$end > rv2$end ? rv1$end : rv2$end;
# Merge $num # Merge $num
result$num = rv1$num + rv2$num; result$num = rv1$num + rv2$num;
@ -442,7 +451,7 @@ function add_data(id: string, index: Index, data: DataPoint)
local metric_tbl = store[id, filter$name]; local metric_tbl = store[id, filter$name];
if ( index !in metric_tbl ) if ( index !in metric_tbl )
metric_tbl[index] = [$begin=network_time()]; metric_tbl[index] = [$begin=network_time(), $end=network_time()];
local result = metric_tbl[index]; local result = metric_tbl[index];
@ -452,6 +461,8 @@ function add_data(id: string, index: Index, data: DataPoint)
val = data?$dbl ? data$dbl : data$num; val = data?$dbl ? data$dbl : data$num;
++result$num; ++result$num;
# Continually update the $end field.
result$end=network_time();
if ( filter?$samples && filter$samples > 0 && data?$str ) if ( filter?$samples && filter$samples > 0 && data?$str )
{ {

4
scripts/policy/misc/scan.bro
View file

@ -51,7 +51,7 @@ function check_addr_scan_threshold(index: Metrics::Index, val: Metrics::ResultVa
function addr_scan_threshold_crossed(index: Metrics::Index, val: Metrics::ResultVal) function addr_scan_threshold_crossed(index: Metrics::Index, val: Metrics::ResultVal)
{ {
local side = Site::is_local_addr(index$host) ? "local" : "remote"; local side = Site::is_local_addr(index$host) ? "local" : "remote";
local message=fmt("%s scanned %d unique hosts on port %s", index$host, val$unique, index$str); local message=fmt("%s scanned %d unique hosts on port %s in %s", index$host, val$unique, index$str, val$end-val$begin);
NOTICE([$note=Address_Scan, NOTICE([$note=Address_Scan,
$src=index$host, $src=index$host,
@ -64,7 +64,7 @@ function addr_scan_threshold_crossed(index: Metrics::Index, val: Metrics::Result
function port_scan_threshold_crossed(index: Metrics::Index, val: Metrics::ResultVal) function port_scan_threshold_crossed(index: Metrics::Index, val: Metrics::ResultVal)
{ {
local side = Site::is_local_addr(index$host) ? "local" : "remote"; local side = Site::is_local_addr(index$host) ? "local" : "remote";
local message = fmt("%s scanned %d unique ports of host %s", index$host, val$unique, index$str); local message = fmt("%s scanned %d unique ports of host %s in %s", index$host, val$unique, index$str, val$end-val$begin);
NOTICE([$note=Port_Scan, NOTICE([$note=Port_Scan,
$src=index$host, $src=index$host,

14
testing/btest/Baseline/scripts.base.frameworks.metrics.basic-cluster/manager-1.metrics.log
View file

@ -3,10 +3,10 @@
#empty_field (empty) #empty_field (empty)
#unset_field - #unset_field -
#path metrics #path metrics
#open 2012-11-20-06-46-51 #open 2012-12-04-15-53-23
#fields ts ts_delta filter_name metric index.str index.host index.network result.begin result.num result.sum result.min result.max result.avg result.variance result.std_dev result.unique #fields ts ts_delta filter_name metric index.str index.host index.network result.begin result.end result.num result.sum result.min result.max result.avg result.variance result.std_dev result.unique
#types time interval string string string addr subnet time count double double double double double double count #types time interval string string string addr subnet time time count double double double double double double count
1353394011.192622 3.000000 default test.metric - 6.5.4.3 - - 2 6.0 1.0 5.0 3.0 4.0 2.0 - 1354636403.682565 3.000000 default test.metric - 6.5.4.3 - 1354636401.774655 1354636401.782720 2 6.0 1.0 5.0 3.0 4.0 2.0 -
1353394011.192622 3.000000 default test.metric - 1.2.3.4 - - 9 437.0 3.0 95.0 48.555556 674.469136 25.970544 - 1354636403.682565 3.000000 default test.metric - 1.2.3.4 - 1354636401.774655 1354636401.782720 9 437.0 3.0 95.0 48.555556 674.469136 25.970544 -
1353394011.192622 3.000000 default test.metric - 7.2.1.5 - - 2 145.0 54.0 91.0 72.5 342.25 18.5 - 1354636403.682565 3.000000 default test.metric - 7.2.1.5 - 1354636401.774655 1354636401.782720 2 145.0 54.0 91.0 72.5 342.25 18.5 -
#close 2012-11-20-06-46-51 #close 2012-12-04-15-53-23

14
testing/btest/Baseline/scripts.base.frameworks.metrics.basic/metrics.log
View file

@ -3,10 +3,10 @@
#empty_field (empty) #empty_field (empty)
#unset_field - #unset_field -
#path metrics #path metrics
#open 2012-11-20-15-05-07 #open 2012-12-04-15-55-13
#fields ts ts_delta filter_name metric index.str index.host index.network result.begin result.num result.sum result.min result.max result.avg result.variance result.std_dev result.unique #fields ts ts_delta filter_name metric index.str index.host index.network result.begin result.end result.num result.sum result.min result.max result.avg result.variance result.std_dev result.unique
#types time interval string string string addr subnet time count double double double double double double count #types time interval string string string addr subnet time time count double double double double double double count
1353423907.236002 3.000000 foo-bar test.metric - 6.5.4.3 - 1353423907.236002 1 2.0 2.0 2.0 2.0 0.0 0.0 - 1354636513.492214 3.000000 foo-bar test.metric - 6.5.4.3 - 1354636513.492214 1354636513.492214 1 2.0 2.0 2.0 2.0 0.0 0.0 -
1353423907.236002 3.000000 foo-bar test.metric - 1.2.3.4 - 1353423907.236002 5 221.0 5.0 94.0 44.2 915.36 30.254917 - 1354636513.492214 3.000000 foo-bar test.metric - 1.2.3.4 - 1354636513.492214 1354636513.492214 5 221.0 5.0 94.0 44.2 915.36 30.254917 -
1353423907.236002 3.000000 foo-bar test.metric - 7.2.1.5 - 1353423907.236002 1 1.0 1.0 1.0 1.0 0.0 0.0 - 1354636513.492214 3.000000 foo-bar test.metric - 7.2.1.5 - 1354636513.492214 1354636513.492214 1 1.0 1.0 1.0 1.0 0.0 0.0 -
#close 2012-11-20-15-05-07 #close 2012-12-04-15-55-13