Add conn_generic_packet_threshold_crossed event

scripts/base/init-bare.zeek

@@ -6369,6 +6369,18 @@ export {
 	};
 }
 
+module ConnThreshold;
+
+export {
+	## Number of packets required to be observed on any IP-based session to
+	## trigger :zeek:id:`conn_generic_packet_threshold_crossed`. Note that the
+	## threshold refers to the total number of packets transferred in both
+	## directions.
+	##
+	## .. zeek:see:: conn_generic_packet_threshold_crossed
+	const generic_packet_threshold = 5 &redef;
+}
+
 module GLOBAL;
 
 @load base/bif/event.bif

src/analyzer/protocol/conn-size/ConnSize.cc

@@ -37,6 +37,13 @@ void ConnSize_Analyzer::ThresholdEvent(EventHandlerPtr f, uint64_t threshold, bo
 }
 
 void ConnSize_Analyzer::CheckThresholds(bool is_orig) {
+    static const auto generic_packet_threshold = id::find_const("ConnThreshold::generic_packet_threshold")->AsCount();
+
+    if ( conn_generic_packet_threshold_crossed && generic_packet_threshold &&
+         (orig_pkts + resp_pkts) == generic_packet_threshold ) {
+        EnqueueConnEvent(conn_generic_packet_threshold_crossed, ConnVal());
+    }
+
     if ( is_orig ) {
         if ( orig_bytes_thresh && orig_bytes >= orig_bytes_thresh ) {
             ThresholdEvent(conn_bytes_threshold_crossed, orig_bytes_thresh, is_orig);

src/analyzer/protocol/conn-size/events.bif

@@ -46,3 +46,10 @@ event conn_packets_threshold_crossed%(c: connection, threshold: count, is_orig:
 ##               get_current_conn_bytes_threshold get_current_conn_packets_threshold
 ##               set_current_conn_duration_threshold get_current_conn_duration_threshold
 event conn_duration_threshold_crossed%(c: connection, threshold: interval, is_orig: bool%);
+
+## Generated for any IP-based session once :zeek:id:`ConnThreshold::generic_packet_threshold` packets have been
+## observed. Only one endpoint sending traffic is sufficient to trigger the event. This allows to handle new
+## connections, while short interactions, like scans consisting of only a few packets, are ignored.
+##
+## c: The connection.
+event conn_generic_packet_threshold_crossed%(c: connection%);

src/event.bif

@@ -106,7 +106,8 @@ event network_time_init%(%);
 ##
 ##    Handling this event is potentially expensive. For example, during a SYN
 ##    flooding attack, every spoofed SYN packet will lead to a new
-##    event.
+##    event. Consider to use events like :zeek:id:`connection_established` or
+##    :zeek:id:`ConnThreshold::conn_generic_packet_threshold_crossed` instead.
 event new_connection%(c: connection%);
 
 ## Generated for a connection whose tunneling has changed.  This could