From 5a04190ffe9fad837fe45bbae94ebb0bdc6eeb7c Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Tue, 4 Oct 2011 13:58:55 -0400
Subject: [PATCH] More adjustment to reduce Weird volumes.

- New script extracted from weird.bro to implement the
  connection related "weird" data into an optionally
  loaded script.

- Adjusted the default notice tuning to stop ignoring
  the connection related weirds since they aren't loaded
  by default anymore.
---
 scripts/base/frameworks/notice/weird.bro      | 47 --------------
 scripts/policy/protocols/conn/weirds.bro      | 61 +++++++++++++++++++
 .../defaults/remove-high-volume-notices.bro   |  4 --
 3 files changed, 61 insertions(+), 51 deletions(-)
 create mode 100644 scripts/policy/protocols/conn/weirds.bro

diff --git a/scripts/base/frameworks/notice/weird.bro b/scripts/base/frameworks/notice/weird.bro
index 70fbc26f28..c9e9228c0d 100644
--- a/scripts/base/frameworks/notice/weird.bro
+++ b/scripts/base/frameworks/notice/weird.bro
@@ -10,12 +10,6 @@ export {
 	redef enum Notice::Type += {
 		## Generic unusual but alarm-worthy activity.
 		Weird_Activity,
-		## Possible evasion; usually just chud.
-		Retransmission_Inconsistency,
-		## Could mean packet drop; could also be chud.
-		Ack_Above_Hole,
-		## Data has sequence hole; perhaps due to filtering.
-		Content_Gap,
 	};
 	
 	type Info: record {
@@ -383,47 +377,6 @@ function report_weird_orig(t: time, name: string, id: string, orig: addr)
 	report_weird(t, name, id, F, "", action, no_log);
 	}
 
-event conn_weird(name: string, c: connection, addl: string)
-	{
-	report_weird_conn(network_time(), name, id_string(c$id), addl, c);
-	}
-
-event flow_weird(name: string, src: addr, dst: addr)
-	{
-	report_weird_orig(network_time(), name, fmt("%s -> %s", src, dst), src);
-	}
-
-event net_weird(name: string)
-	{
-	report_weird(network_time(), name, "", F, "", WEIRD_UNSPECIFIED, F);
-	}
-
-event rexmit_inconsistency(c: connection, t1: string, t2: string)
-	{
-	if ( c$id !in did_inconsistency_msg )
-		{
-		NOTICE([$note=Retransmission_Inconsistency,
-		        $conn=c,
-		        $msg=fmt("%s rexmit inconsistency (%s) (%s)",
-		                 id_string(c$id), t1, t2)]);
-		add did_inconsistency_msg[c$id];
-		}
-	}
-
-event ack_above_hole(c: connection)
-	{
-	NOTICE([$note=Ack_Above_Hole, $conn=c,
-	        $msg=fmt("%s ack above a hole", id_string(c$id))]);
-	}
-
-event content_gap(c: connection, is_orig: bool, seq: count, length: count)
-	{
-	NOTICE([$note=Content_Gap, $conn=c,
-	        $msg=fmt("%s content gap (%s %d/%d)%s",
-	                 id_string(c$id), is_orig ? ">" : "<", seq, length,
-	                 is_external_connection(c) ? " [external]" : "")]);
-	}
-
 event connection_state_remove(c: connection)
 	{
 	delete weird_ignore[id_string(c$id)];
diff --git a/scripts/policy/protocols/conn/weirds.bro b/scripts/policy/protocols/conn/weirds.bro
new file mode 100644
index 0000000000..32890a7eaa
--- /dev/null
+++ b/scripts/policy/protocols/conn/weirds.bro
@@ -0,0 +1,61 @@
+##! This script handles core generated connection related "weird" events to 
+##! push weird information about connections into the weird framework.
+##! For live operational deployments, this can frequently cause load issues
+##! due to large numbers of these events being passed between nodes.
+
+@load base/frameworks/notice
+
+module Weird;
+
+export {
+	redef enum Notice::Type += {
+		## Possible evasion; usually just chud.
+		Retransmission_Inconsistency,
+		## Could mean packet drop; could also be chud.
+		Ack_Above_Hole,
+		## Data has sequence hole; perhaps due to filtering.
+		Content_Gap,
+	};
+}
+
+event conn_weird(name: string, c: connection, addl: string)
+	{
+	report_weird_conn(network_time(), name, id_string(c$id), addl, c);
+	}
+
+event flow_weird(name: string, src: addr, dst: addr)
+	{
+	report_weird_orig(network_time(), name, fmt("%s -> %s", src, dst), src);
+	}
+
+event net_weird(name: string)
+	{
+	report_weird(network_time(), name, "", F, "", WEIRD_UNSPECIFIED, F);
+	}
+
+event rexmit_inconsistency(c: connection, t1: string, t2: string)
+	{
+	if ( c$id !in did_inconsistency_msg )
+		{
+		NOTICE([$note=Retransmission_Inconsistency,
+		        $conn=c,
+		        $msg=fmt("%s rexmit inconsistency (%s) (%s)",
+		                 id_string(c$id), t1, t2)]);
+		add did_inconsistency_msg[c$id];
+		}
+	}
+
+event ack_above_hole(c: connection)
+	{
+	NOTICE([$note=Ack_Above_Hole, $conn=c,
+	        $msg=fmt("%s ack above a hole", id_string(c$id))]);
+	}
+
+event content_gap(c: connection, is_orig: bool, seq: count, length: count)
+	{
+	NOTICE([$note=Content_Gap, $conn=c,
+	        $msg=fmt("%s content gap (%s %d/%d)%s",
+	                 id_string(c$id), is_orig ? ">" : "<", seq, length,
+	                 is_external_connection(c) ? " [external]" : "")]);
+	}
+
diff --git a/scripts/policy/tuning/defaults/remove-high-volume-notices.bro b/scripts/policy/tuning/defaults/remove-high-volume-notices.bro
index bf3f73c741..18f2974d42 100644
--- a/scripts/policy/tuning/defaults/remove-high-volume-notices.bro
+++ b/scripts/policy/tuning/defaults/remove-high-volume-notices.bro
@@ -4,11 +4,7 @@
 @load base/frameworks/notice
 @load base/frameworks/notice/weird
 
-# Remove these notices from logging since they can be too noisy.
 redef Notice::ignored_types += {
-	Weird::Content_Gap,
-	Weird::Ack_Above_Hole,
-	Weird::Retransmission_Inconsistency,
 	## Only allow these to go in the weird log.
 	Weird::Weird_Activity,
 };