From 8286fdeea18e962c2326adfa3d0d5da13e2fce73 Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Tue, 16 Aug 2011 08:28:08 -0400
Subject: [PATCH] Updates for SQL injection attack detection to match the
 metrics framework updates.

---
 scripts/policy/protocols/http/detect-sqli.bro | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/scripts/policy/protocols/http/detect-sqli.bro b/scripts/policy/protocols/http/detect-sqli.bro
index 45a2bdb205..e2933626f7 100644
--- a/scripts/policy/protocols/http/detect-sqli.bro
+++ b/scripts/policy/protocols/http/detect-sqli.bro
@@ -35,13 +35,13 @@ export {
 
 event bro_init()
 	{
-	Metrics::add_filter(SQL_ATTACKS, [$log=T, 
-	                                  $break_interval=1mins, 
+	Metrics::add_filter(SQL_ATTACKS, [$log=F,
+	                                  $break_interval=5mins, 
 	                                  $note=SQL_Injection_Attacker]);
-	Metrics::add_filter(SQL_ATTACKS_AGAINST, [$log=T, 
-	                                          $break_interval=1mins, 
+	Metrics::add_filter(SQL_ATTACKS_AGAINST, [$log=F, 
+	                                          $break_interval=5mins, 
 	                                          $note=SQL_Injection_Attack, 
-	                                          $notice_thresholds=vector(10,100)]);
+	                                          $notice_threshold=50]);
 	}
 
 event http_request(c: connection, method: string, original_URI: string,
@@ -51,7 +51,7 @@ event http_request(c: connection, method: string, original_URI: string,
 		{
 		add c$http$tags[URI_SQLI];
 		
-		Metrics::add_data(SQL_ATTACKS, [$host=c$id$orig_h]);
-		Metrics::add_data(SQL_ATTACKS_AGAINST, [$host=c$id$resp_h]);
+		Metrics::add_data(SQL_ATTACKS, [$host=c$id$orig_h], 1);
+		Metrics::add_data(SQL_ATTACKS_AGAINST, [$host=c$id$resp_h], 1);
 		}
 	}
\ No newline at end of file