Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-07 17:18:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Added function to intercept threshold checking

Browse source
This commit is contained in:
Sheharbano Khattak 2012-10-09 05:33:37 +05:00
parent 6750b0f7b9
commit 83910eeb08
7 changed files with 65 additions and 19 deletions
Download patch file Download diff file Expand all files Collapse all files

2
aux/binpac

@ -1 +1 @@
Subproject commit 3034da8f082b61157e234237993ffd7a95be6e62 Subproject commit a93ef1373512c661ffcd0d0a61bd19b96667e0d5

2
aux/bro-aux

@ -1 +1 @@
Subproject commit f53bcb2b492cb0db3dd288384040abc2ab711767 Subproject commit 6748ec3a96d582a977cd9114ef19c76fe75c57ff

2
aux/broccoli

@ -1 +1 @@
Subproject commit a08ca90727c5c4b90aa8633106ec33a5cf7378d4 Subproject commit ebfa4de45a839e58aec200e7e4bad33eaab4f1ed

2
aux/broctl

@ -1 +1 @@
Subproject commit 954538514d71983e7ef3f0e109960466096e1c1d Subproject commit b0e3c0d84643878c135dcb8a9774ed78147dd648

2
aux/btest

@ -1 +1 @@
Subproject commit 9c9fde204dd5518bdfdb8b4a86d38ed06e597209 Subproject commit 44a43e62452302277f88e8fac08d1f979dc53f98

2
cmake

@ -1 +1 @@
Subproject commit 2cc105577044a2d214124568f3f2496ed2ccbb34 Subproject commit 125f9a5fa851381d0350efa41a4d14f27be263a2

72
scripts/base/frameworks/metrics/main.bro
View file

@ -103,12 +103,20 @@ export {
notice_threshold: count &optional; notice_threshold: count &optional;
## A series of thresholds at which to generate notices. ## A series of thresholds at which to generate notices.
notice_thresholds: vector of count &optional; notice_thresholds: vector of count &optional;
## How often this notice should be raised for this filter. It
## will be generated everytime it crosses a threshold, but if the ## Sheharbano's additions
## $break_interval is set to 5mins and this is set to 1hr the notice ##--------------------------------------------
## only be generated once per hour even if something crosses the ## A straight threshold for generating a notice.
## threshold in every break interval. default_threshold: count &optional;
notice_freq: interval &optional; ## Represents Index specific thresholds, that is we can
## have different thresholds for different Index values.
## If the threshold for an Index is not specified in <dynamic_thresholds>,
## <threshold> will be used as default.
custom_thresholds: table[Index] of count &optional;
## A predicate so that you can decide when to flexibly declare when
## a threshold crossed, and do extra stuff
check_threshold: function(index: Index, default_thresh: count,
custom_thresh: table[Index] of count, val: count ): bool &optional;
}; };
## Function to associate a metric filter with a metric ID. ## Function to associate a metric filter with a metric ID.
@ -262,6 +270,11 @@ function add_filter(id: string, filter: Filter)
print "INVALID Metric filter: Defined both $notice_threshold and $notice_thresholds"; print "INVALID Metric filter: Defined both $notice_threshold and $notice_thresholds";
return; return;
} }
if ( !filter?$default_threshold && !filter?$custom_thresholds )
{
print "INVALID Metric filter: Must define one of $default_threshold and $custom_thresholds";
return;
}
if ( ! filter?$id ) if ( ! filter?$id )
filter$id = id; filter$id = id;
@ -349,15 +362,43 @@ function add_unique(id: string, index: Index, data: string)
function check_notice(filter: Filter, index: Index, val: count): bool function check_notice(filter: Filter, index: Index, val: count): bool
{ {
if ( (filter?$notice_threshold && ## It's possible for a user to skip defining either default_threshold or custom_thresholds.
[filter$id, filter$name, index] !in thresholds && ## Therefore must check which one is missing, so we can craft and send a dummy value in the function
val >= filter$notice_threshold) ||
(filter?$notice_thresholds && local cust_thresh: table[Index] of count;
|filter$notice_thresholds| <= thresholds[filter$id, filter$name, index] && local def_thresh = 0;
val >= filter$notice_thresholds[thresholds[filter$id, filter$name, index]]) )
return T; if ( filter?$custom_thresholds )
cust_thresh = filter$custom_thresholds;
if ( filter?$default_threshold )
def_thresh = filter$default_threshold;
if ( filter?$check_threshold )
return filter$check_threshold( index, def_thresh, cust_thresh, val );
else else
{
if ( index in cust_thresh )
{
if ( val > cust_thresh[index] )
return T;
}
else if ( val > def_thresh)
return T;
return F; return F;
}
#if ( (filter?$notice_threshold &&
# [filter$id, filter$name, index] !in thresholds &&
# val >= filter$notice_threshold) ||
# (filter?$notice_thresholds &&
# |filter$notice_thresholds| <= thresholds[filter$id, filter$name, index] &&
# val >= filter$notice_thresholds[thresholds[filter$id, filter$name, index]]) )
#return T;
#else
#return F;
} }
function do_notice(filter: Filter, index: Index, val: count) function do_notice(filter: Filter, index: Index, val: count)
@ -378,6 +419,11 @@ function do_notice(filter: Filter, index: Index, val: count)
NOTICE(n); NOTICE(n);
# Resetting unique values
local metric_tbl = store[filter$id, filter$name];
metric_tbl[index]$unique_vals = set();
# This just needs set to some value so that it doesn't refire the # This just needs set to some value so that it doesn't refire the
# notice until it expires from the table or it crosses the next # notice until it expires from the table or it crosses the next
# threshold in the case of vectors of thresholds. # threshold in the case of vectors of thresholds.