Add conn_generic_packet_threshold_crossed event

src/analyzer/protocol/conn-size/ConnSize.cc

@@ -37,6 +37,13 @@ void ConnSize_Analyzer::ThresholdEvent(EventHandlerPtr f, uint64_t threshold, bo
 }
 
 void ConnSize_Analyzer::CheckThresholds(bool is_orig) {
+    static const auto generic_packet_threshold = id::find_const("ConnThreshold::generic_packet_threshold")->AsCount();
+
+    if ( conn_generic_packet_threshold_crossed && generic_packet_threshold &&
+         (orig_pkts + resp_pkts) == generic_packet_threshold ) {
+        EnqueueConnEvent(conn_generic_packet_threshold_crossed, ConnVal());
+    }
+
     if ( is_orig ) {
         if ( orig_bytes_thresh && orig_bytes >= orig_bytes_thresh ) {
             ThresholdEvent(conn_bytes_threshold_crossed, orig_bytes_thresh, is_orig);

src/analyzer/protocol/conn-size/events.bif

@@ -46,3 +46,10 @@ event conn_packets_threshold_crossed%(c: connection, threshold: count, is_orig:
 ##               get_current_conn_bytes_threshold get_current_conn_packets_threshold
 ##               set_current_conn_duration_threshold get_current_conn_duration_threshold
 event conn_duration_threshold_crossed%(c: connection, threshold: interval, is_orig: bool%);
+
+## Generated for any IP-based session once :zeek:id:`ConnThreshold::generic_packet_threshold` packets have been
+## observed. Only one endpoint sending traffic is sufficient to trigger the event. This allows to handle new
+## connections, while short interactions, like scans consisting of only a few packets, are ignored.
+##
+## c: The connection.
+event conn_generic_packet_threshold_crossed%(c: connection%);