Added function to intercept threshold checking

2025-10-07 17:18:20 +00:00 · 2012-10-09 05:33:37 +05:00 · 2012-10-09 05:33:37 +05:00 · 83910eeb08
commit 83910eeb08
parent 6750b0f7b9
7 changed files with 65 additions and 19 deletions
--- a/aux/binpac
+++ b/aux/binpac
@ -1 +1 @@
-Subproject commit 3034da8f082b61157e234237993ffd7a95be6e62
+Subproject commit a93ef1373512c661ffcd0d0a61bd19b96667e0d5
--- a/aux/bro-aux
+++ b/aux/bro-aux
@ -1 +1 @@
-Subproject commit f53bcb2b492cb0db3dd288384040abc2ab711767
+Subproject commit 6748ec3a96d582a977cd9114ef19c76fe75c57ff
--- a/aux/broccoli
+++ b/aux/broccoli
@ -1 +1 @@
-Subproject commit a08ca90727c5c4b90aa8633106ec33a5cf7378d4
+Subproject commit ebfa4de45a839e58aec200e7e4bad33eaab4f1ed
--- a/aux/broctl
+++ b/aux/broctl
@ -1 +1 @@
-Subproject commit 954538514d71983e7ef3f0e109960466096e1c1d
+Subproject commit b0e3c0d84643878c135dcb8a9774ed78147dd648
--- a/aux/btest
+++ b/aux/btest
@ -1 +1 @@
-Subproject commit 9c9fde204dd5518bdfdb8b4a86d38ed06e597209
+Subproject commit 44a43e62452302277f88e8fac08d1f979dc53f98
--- a/2
+++ b/2
@ -1 +1 @@
-Subproject commit 2cc105577044a2d214124568f3f2496ed2ccbb34
+Subproject commit 125f9a5fa851381d0350efa41a4d14f27be263a2
--- a/scripts/base/frameworks/metrics/main.bro
+++ b/scripts/base/frameworks/metrics/main.bro
@ -103,12 +103,20 @@ export {
 		notice_threshold:  count                   &optional;
 		## A series of thresholds at which to generate notices.
 		notice_thresholds: vector of count         &optional;
-		## How often this notice should be raised for this filter.  It 
-		## will be generated everytime it crosses a threshold, but if the 
-		## $break_interval is set to 5mins and this is set to 1hr the notice
-		## only be generated once per hour even if something crosses the
-		## threshold in every break interval.
-		notice_freq:       interval                &optional;
+		
+		## Sheharbano's additions
+		##--------------------------------------------
+		## A straight threshold for generating a notice.
+		default_threshold:  count                   &optional;
+		## Represents Index specific thresholds, that is we can
+		## have different thresholds for different Index values.
+		## If the threshold for an Index is not specified in <dynamic_thresholds>,
+		## <threshold> will be used as default.
+		custom_thresholds: table[Index] of count         &optional;
+		## A predicate so that you can decide when to flexibly declare when 
+		## a threshold crossed, and do extra stuff
+		check_threshold:     function(index: Index, default_thresh: count, 
+					custom_thresh: table[Index] of count, val: count ): bool &optional;
 	};
 	
 	## Function to associate a metric filter with a metric ID.
@ -262,6 +270,11 @@ function add_filter(id: string, filter: Filter)
 		print "INVALID Metric filter: Defined both $notice_threshold and $notice_thresholds";
 		return;
 		}
+	if ( !filter?$default_threshold && !filter?$custom_thresholds )
+		{
+		print "INVALID Metric filter: Must define one of $default_threshold and $custom_thresholds";
+		return;
+		}
 	
 	if ( ! filter?$id )
 		filter$id = id;
@ -349,17 +362,45 @@ function add_unique(id: string, index: Index, data: string)
 	
 function check_notice(filter: Filter, index: Index, val: count): bool
 	{
-	if ( (filter?$notice_threshold &&
-	      [filter$id, filter$name, index] !in thresholds &&
-	      val >= filter$notice_threshold) ||
-	     (filter?$notice_thresholds &&
-	      |filter$notice_thresholds| <= thresholds[filter$id, filter$name, index] &&
-	      val >= filter$notice_thresholds[thresholds[filter$id, filter$name, index]]) )
-		return T;
+	## It's possible for a user to skip defining either default_threshold or custom_thresholds.
+	## Therefore must check which one is missing, so we can craft and send a dummy value in the function
+
+	local cust_thresh: table[Index] of count;
+	local def_thresh = 0;
+
+	if ( filter?$custom_thresholds )
+		cust_thresh = filter$custom_thresholds;
+
+	if ( filter?$default_threshold )
+		def_thresh = filter$default_threshold;
+
+	if ( filter?$check_threshold )
+		return filter$check_threshold( index, def_thresh, cust_thresh, val );
+
 	else
+		{
+		if ( index in cust_thresh )
+			{
+			if ( val > cust_thresh[index] )
+				return T;
+			}
+		else if ( val > def_thresh)
+			return T;
+
 		return F;
 		}

+	#if ( (filter?$notice_threshold &&
+		 #     [filter$id, filter$name, index] !in thresholds &&
+		  #    val >= filter$notice_threshold) ||
+		   #  (filter?$notice_thresholds &&
+		    #  |filter$notice_thresholds| <= thresholds[filter$id, filter$name, index] &&
+		     # val >= filter$notice_thresholds[thresholds[filter$id, filter$name, index]]) )
+			#return T;
+		#else
+			#return F;
+	}
+		
 function do_notice(filter: Filter, index: Index, val: count)
 	{
 	# We include $peer_descr here because the a manager count have actually 
@ -378,6 +419,11 @@ function do_notice(filter: Filter, index: Index, val: count)
 	
 	NOTICE(n);

+	# Resetting unique values
+	local metric_tbl = store[filter$id, filter$name];
+	metric_tbl[index]$unique_vals = set();
+	
+
 	# This just needs set to some value so that it doesn't refire the 
 	# notice until it expires from the table or it crosses the next 
 	# threshold in the case of vectors of thresholds.