Remove variable content from weird names

This changes many weird names to move non-static content from the weird name into the "addl" field to help ensure the total number of weird names is reasonably bounded. Note the net_weird and flow_weird events do not have an "addl" parameter, so information may no longer be available in those cases -- to make it available again we'd need to either (1) define new events that contain such a parameter, or (2) change net_weird/flow_weird event signature (which is a breaking change for user-code at the moment). Also, the generic handling of binpac exceptions for analyzers which to not otherwise catch and handle them has been changed from a Weird to a ProtocolViolation. Finally, a new "file_weird" event has been added for reporting weirdness found during file analysis.
2025-10-04 07:38:19 +00:00 · 2019-04-01 18:27:53 -07:00 · 2019-04-01 18:27:53 -07:00 · 995368e68c
commit 995368e68c
parent 956674745b
47 changed files with 289 additions and 152 deletions
--- a/src/WeirdState.cc
+++ b/src/WeirdState.cc
@ -0,0 +1,30 @@
+#include "WeirdState.h"
+#include "Net.h"
+
+bool PermitWeird(WeirdStateMap& wsm, const char* name, uint64_t threshold,
+                 uint64_t rate, double duration)
+    {
+	auto& state = wsm[name];
+	++state.count;
+
+	if ( state.count <= threshold )
+		return true;
+
+	if ( state.count == threshold + 1)
+		state.sampling_start_time = network_time;
+	else
+		{
+		if ( network_time > state.sampling_start_time + duration )
+			{
+			state.sampling_start_time = 0;
+			state.count = 1;
+			return true;
+			}
+		}
+
+	auto num_above_threshold = state.count - threshold;
+	if ( rate )
+		return num_above_threshold % rate == 0;
+	else
+		return false;
+    }