Move UnknownProtocol options to init-bare.zeek

Otherwise the `unknown_protocol` event cannot be used independently from `policy/mic/unknown-protocols.zeek`.
2025-10-14 04:28:20 +00:00 · 2020-11-11 12:58:38 -08:00 · 2020-11-11 12:58:38 -08:00 · 89af6f2004
commit 89af6f2004
parent 49094688fd
6 changed files with 34 additions and 26 deletions
--- a/scripts/policy/misc/unknown-protocols.zeek
+++ b/scripts/policy/misc/unknown-protocols.zeek
@ -26,25 +26,6 @@ export {
 		## header.
 		first_bytes:  string   &log;
 	};
-
-	## How many reports for an analyzer/protocol pair will be allowed to
-	## raise events before becoming rate-limited.
-	const sampling_threshold : count = 3 &redef;
-
-	## The rate-limiting sampling rate. One out of every of this number of
-	## rate-limited pairs of a given type will be allowed to raise events
-	## for further script-layer handling. Setting the sampling rate to 0
-	## will disable all output of rate-limited pairs.
-	const sampling_rate : count = 100000 &redef;
-
-	## How long an analyzer/protocol pair is allowed to keep state/counters in
-	## in memory. Once the threshold has been hit, this is the amount of time
-	## before the rate-limiting for a pair expires and is reset.
-	const sampling_duration = 1hr &redef;
-
-	## The number of bytes to extract from the next header and log in the
-	## first bytes field.
-	const first_bytes_count = 10 &redef;
 }

 event unknown_protocol(analyzer_name: string, protocol: count, first_bytes: string)