Permit weird sampling rate of 0.

This change allows a weird sampling rate of 0, which completely suppresses
all notifications (previously this crashed Bro). If also fixes the sampling
threshold to work with sampling rates of 0.

scripts/base/init-bare.bro

@@ -4850,13 +4850,14 @@ export {
 	const sampling_whitelist: set[string] &redef;
 
 	## How many weirds of a given type to tolerate before sampling begins.
-	## i.e. this many consecutive weirds of a given type will be allowed to
+	## I.e. this many consecutive weirds of a given type will be allowed to
 	## raise events for script-layer handling before being rate-limited.
 	const sampling_threshold = 25 &redef;
 
 	## The rate-limiting sampling rate. One out of every of this number of
 	## rate-limited weirds of a given type will be allowed to raise events
-	## for further script-layer handling.
+	## for further script-layer handling. Setting the sampling rate to 0
+	## will disable all output of rate-limited weirds.
 	const sampling_rate = 1000 &redef;
 
 	## How long a weird of a given type is allowed to keep state/counters in
@@ -4864,7 +4865,7 @@ export {
 	## first initializing its counter. For "flow" weirds an expiration timer
 	## starts once per src/dst IP pair for the first weird of any name. For
 	## "conn" weirds, counters and expiration timers are kept for the duration
-	## of the connection for each named weird and reset when necessary.  e.g.
+	## of the connection for each named weird and reset when necessary. E.g.
 	## if a "conn" weird by the name of "foo" is seen more than
 	## :bro:see:`Weird::sampling_threshold` times, then an expiration timer
 	## begins for "foo" and upon triggering will reset the counter for "foo"

src/Conn.cc

@@ -1078,10 +1078,10 @@ bool Connection::PermitWeird(const char* name, uint64 threshold, uint64 rate,
 	auto& state = weird_state[name];
 	++state.count;
 
-	if ( state.count < threshold )
+	if ( state.count <= threshold )
 		return true;
 
-	if ( state.count == threshold )
+	if ( state.count == threshold + 1)
 		state.sampling_start_time = network_time;
 	else
 		{
@@ -1094,5 +1094,8 @@ bool Connection::PermitWeird(const char* name, uint64 threshold, uint64 rate,
 		}
 
 	auto num_above_threshold = state.count - threshold;
+	if ( rate )
 		return num_above_threshold % rate == 0;
+	else
+		return false;
 	}

src/Reporter.cc

@@ -296,11 +296,14 @@ bool Reporter::PermitNetWeird(const char* name)
 		timer_mgr->Add(new NetWeirdTimer(network_time, name,
 		                                 weird_sampling_duration));
 
-	if ( count < weird_sampling_threshold )
+	if ( count <= weird_sampling_threshold )
 		return true;
 
 	auto num_above_threshold = count - weird_sampling_threshold;
+	if ( weird_sampling_rate )
 		return num_above_threshold % weird_sampling_rate == 0;
+	else
+		return false;
 	}
 
 bool Reporter::PermitFlowWeird(const char* name,
@@ -316,11 +319,14 @@ bool Reporter::PermitFlowWeird(const char* name,
 	auto& count = map[name];
 	++count;
 
-	if ( count < weird_sampling_threshold )
+	if ( count <= weird_sampling_threshold )
 		return true;
 
 	auto num_above_threshold = count - weird_sampling_threshold;
+	if ( weird_sampling_rate )
 		return num_above_threshold % weird_sampling_rate == 0;
+	else
+		return false;
 	}
 
 void Reporter::Weird(const char* name)

testing/btest/Baseline/core.reporter-weird-sampling-disable/output

@@ -0,0 +1 @@
+net_weird, my_net_weird

testing/btest/core/reporter-weird-sampling-disable.bro

@@ -0,0 +1,32 @@
+# @TEST-EXEC: bro -b -r $TRACES/http/bro.org.pcap %INPUT >output
+# @TEST-EXEC: btest-diff output
+
+redef Weird::sampling_threshold = 1;
+redef Weird::sampling_rate = 0;
+
+event net_weird(name: string)
+	{
+	print "net_weird", name;
+	}
+
+event gen_weirds(c: connection)
+	{
+	local num = 5;
+
+	while ( num != 0 )
+		{
+		Reporter::net_weird("my_net_weird");
+		--num;
+		}
+	}
+
+global did_one_connection = F;
+
+event new_connection(c: connection)
+	{
+	if ( did_one_connection )
+		return;
+
+	did_one_connection = T;
+	event gen_weirds(c);
+	}