Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-03 07:08:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Merge remote-tracking branch 'origin/topic/jsiwek/flowbuffer-policy'

Browse source 
* origin/topic/jsiwek/flowbuffer-policy:
  Use a default binpac flowbuffer policy

Added options to tune binpac flowbuffer policy
This commit is contained in:
Jon Siwek 2019-04-10 09:54:27 -07:00
commit 78dcbcc71a
6 changed files with 38 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

4
CHANGES
View file

@ -1,4 +1,8 @@
2.6-210 | 2019-04-10 09:54:27 -0700
* Add options to tune BinPAC flowbuffer policy (Jon Siwek, Corelight)
2.6-208 | 2019-04-10 11:36:17 +0000 2.6-208 | 2019-04-10 11:36:17 +0000
* Improve PE file analysis (Jon Siwek, Corelight) * Improve PE file analysis (Jon Siwek, Corelight)

2
VERSION
View file

@ -1 +1 @@
2.6-208 2.6-210

2
aux/binpac

@ -1 +1 @@
Subproject commit bb2476465e304a00c368bd73d40cc6f734be5311 Subproject commit 2c8d31a439a3712af3a7a0342a955a78784521a5

2
doc

@ -1 +1 @@
Subproject commit 6b81dd79ebef6372da961177852e4ea5c65dd5fa Subproject commit 97af751958172622862bf0da694d6386967d5d24

20
scripts/base/init-bare.bro
View file

@ -5051,6 +5051,26 @@ export {
option sampling_duration = 10min; option sampling_duration = 10min;
} }
module BinPAC;
export {
## Maximum capacity, in bytes, that the BinPAC flowbuffer is allowed to
## grow to for use with incremental parsing of a given connection/analyzer.
const flowbuffer_capacity_max = 10 * 1024 * 1024 &redef;
## The initial capacity, in bytes, that will be allocated to the BinPAC
## flowbuffer of a given connection/analyzer. If the buffer buffer is
## later contracted, its capacity is also reduced to this size.
const flowbuffer_capacity_min = 512 &redef;
## The threshold, in bytes, at which the BinPAC flowbuffer of a given
## connection/analyzer will have its capacity contracted to
## :bro:see:`BinPAC::flowbuffer_capacity_min` after parsing a full unit.
## I.e. this is the maximum capacity to reserve in between the parsing of
## units. If, after parsing a unit, the flowbuffer capacity is greater
## than this value, it will be contracted.
const flowbuffer_contract_threshold = 2 * 1024 * 1024 &redef;
}
module GLOBAL; module GLOBAL;
## Seed for hashes computed internally for probabilistic data structures. Using ## Seed for hashes computed internally for probabilistic data structures. Using

15
src/main.cc
View file

@ -891,10 +891,6 @@ int main(int argc, char** argv)
if ( events_file ) if ( events_file )
event_player = new EventPlayer(events_file); event_player = new EventPlayer(events_file);
// Must come after plugin activation (and also after hash
// initialization).
binpac::init();
init_event_handlers(); init_event_handlers();
md5_type = new OpaqueType("md5"); md5_type = new OpaqueType("md5");
@ -945,6 +941,17 @@ int main(int argc, char** argv)
init_net_var(); init_net_var();
init_builtin_funcs_subdirs(); init_builtin_funcs_subdirs();
// Must come after plugin activation (and also after hash
// initialization).
binpac::FlowBuffer::Policy flowbuffer_policy;
flowbuffer_policy.max_capacity = global_scope()->Lookup(
"BinPAC::flowbuffer_capacity_max")->ID_Val()->AsCount();
flowbuffer_policy.min_capacity = global_scope()->Lookup(
"BinPAC::flowbuffer_capacity_min")->ID_Val()->AsCount();
flowbuffer_policy.contract_threshold = global_scope()->Lookup(
"BinPAC::flowbuffer_contract_threshold")->ID_Val()->AsCount();
binpac::init(&flowbuffer_policy);
plugin_mgr->InitBifs(); plugin_mgr->InitBifs();
if ( reporter->Errors() > 0 ) if ( reporter->Errors() > 0 )