From 83910eeb08679df068f910fa8edb04d9c92a43ae Mon Sep 17 00:00:00 2001 From: Sheharbano Khattak Date: Tue, 9 Oct 2012 05:33:37 +0500 Subject: [PATCH] Added function to intercept threshold checking --- aux/binpac | 2 +- aux/bro-aux | 2 +- aux/broccoli | 2 +- aux/broctl | 2 +- aux/btest | 2 +- cmake | 2 +- scripts/base/frameworks/metrics/main.bro | 72 +++++++++++++++++++----- 7 files changed, 65 insertions(+), 19 deletions(-) diff --git a/aux/binpac b/aux/binpac index 3034da8f08..a93ef13735 160000 --- a/aux/binpac +++ b/aux/binpac @@ -1 +1 @@ -Subproject commit 3034da8f082b61157e234237993ffd7a95be6e62 +Subproject commit a93ef1373512c661ffcd0d0a61bd19b96667e0d5 diff --git a/aux/bro-aux b/aux/bro-aux index f53bcb2b49..6748ec3a96 160000 --- a/aux/bro-aux +++ b/aux/bro-aux @@ -1 +1 @@ -Subproject commit f53bcb2b492cb0db3dd288384040abc2ab711767 +Subproject commit 6748ec3a96d582a977cd9114ef19c76fe75c57ff diff --git a/aux/broccoli b/aux/broccoli index a08ca90727..ebfa4de45a 160000 --- a/aux/broccoli +++ b/aux/broccoli @@ -1 +1 @@ -Subproject commit a08ca90727c5c4b90aa8633106ec33a5cf7378d4 +Subproject commit ebfa4de45a839e58aec200e7e4bad33eaab4f1ed diff --git a/aux/broctl b/aux/broctl index 954538514d..b0e3c0d846 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit 954538514d71983e7ef3f0e109960466096e1c1d +Subproject commit b0e3c0d84643878c135dcb8a9774ed78147dd648 diff --git a/aux/btest b/aux/btest index 9c9fde204d..44a43e6245 160000 --- a/aux/btest +++ b/aux/btest @@ -1 +1 @@ -Subproject commit 9c9fde204dd5518bdfdb8b4a86d38ed06e597209 +Subproject commit 44a43e62452302277f88e8fac08d1f979dc53f98 diff --git a/cmake b/cmake index 2cc1055770..125f9a5fa8 160000 --- a/cmake +++ b/cmake @@ -1 +1 @@ -Subproject commit 2cc105577044a2d214124568f3f2496ed2ccbb34 +Subproject commit 125f9a5fa851381d0350efa41a4d14f27be263a2 diff --git a/scripts/base/frameworks/metrics/main.bro b/scripts/base/frameworks/metrics/main.bro index 0e2496ef16..744eaf731d 100644 --- a/scripts/base/frameworks/metrics/main.bro +++ b/scripts/base/frameworks/metrics/main.bro @@ -103,12 +103,20 @@ export { notice_threshold: count &optional; ## A series of thresholds at which to generate notices. notice_thresholds: vector of count &optional; - ## How often this notice should be raised for this filter. It - ## will be generated everytime it crosses a threshold, but if the - ## $break_interval is set to 5mins and this is set to 1hr the notice - ## only be generated once per hour even if something crosses the - ## threshold in every break interval. - notice_freq: interval &optional; + + ## Sheharbano's additions + ##-------------------------------------------- + ## A straight threshold for generating a notice. + default_threshold: count &optional; + ## Represents Index specific thresholds, that is we can + ## have different thresholds for different Index values. + ## If the threshold for an Index is not specified in , + ## will be used as default. + custom_thresholds: table[Index] of count &optional; + ## A predicate so that you can decide when to flexibly declare when + ## a threshold crossed, and do extra stuff + check_threshold: function(index: Index, default_thresh: count, + custom_thresh: table[Index] of count, val: count ): bool &optional; }; ## Function to associate a metric filter with a metric ID. @@ -262,6 +270,11 @@ function add_filter(id: string, filter: Filter) print "INVALID Metric filter: Defined both $notice_threshold and $notice_thresholds"; return; } + if ( !filter?$default_threshold && !filter?$custom_thresholds ) + { + print "INVALID Metric filter: Must define one of $default_threshold and $custom_thresholds"; + return; + } if ( ! filter?$id ) filter$id = id; @@ -349,15 +362,43 @@ function add_unique(id: string, index: Index, data: string) function check_notice(filter: Filter, index: Index, val: count): bool { - if ( (filter?$notice_threshold && - [filter$id, filter$name, index] !in thresholds && - val >= filter$notice_threshold) || - (filter?$notice_thresholds && - |filter$notice_thresholds| <= thresholds[filter$id, filter$name, index] && - val >= filter$notice_thresholds[thresholds[filter$id, filter$name, index]]) ) - return T; + ## It's possible for a user to skip defining either default_threshold or custom_thresholds. + ## Therefore must check which one is missing, so we can craft and send a dummy value in the function + + local cust_thresh: table[Index] of count; + local def_thresh = 0; + + if ( filter?$custom_thresholds ) + cust_thresh = filter$custom_thresholds; + + if ( filter?$default_threshold ) + def_thresh = filter$default_threshold; + + if ( filter?$check_threshold ) + return filter$check_threshold( index, def_thresh, cust_thresh, val ); + else + { + if ( index in cust_thresh ) + { + if ( val > cust_thresh[index] ) + return T; + } + else if ( val > def_thresh) + return T; + return F; + } + + #if ( (filter?$notice_threshold && + # [filter$id, filter$name, index] !in thresholds && + # val >= filter$notice_threshold) || + # (filter?$notice_thresholds && + # |filter$notice_thresholds| <= thresholds[filter$id, filter$name, index] && + # val >= filter$notice_thresholds[thresholds[filter$id, filter$name, index]]) ) + #return T; + #else + #return F; } function do_notice(filter: Filter, index: Index, val: count) @@ -377,7 +418,12 @@ function do_notice(filter: Filter, index: Index, val: count) # TODO: not sure where to put the network yet. NOTICE(n); + + # Resetting unique values + local metric_tbl = store[filter$id, filter$name]; + metric_tbl[index]$unique_vals = set(); + # This just needs set to some value so that it doesn't refire the # notice until it expires from the table or it crosses the next # threshold in the case of vectors of thresholds.