Adding metrics framework intermediate updates.

- Since each host in a cluster has it's own view of the metrics
  the only time the manager would get a chance for a global view
  is the break_interval.  This update improves that time.  If a
  worker crosses 10% of the full threshold, it will send it's
  value to the manager which can then ask the rest of the cluster
  for a global view.  The manager then adds all of the values for
  each workers metric indexes together and will do the notice
  if it crosses the threshold so that it isn't dependent on
  waiting for the break interval to hit.  This functionality
  works completely independently of the break_interval too.  Logging
  will happen as normal.

- Small update for SSH bruteforcer detection to match additions in
  the metrics framework API.

- The hope is that this update is mostly invisible from anyone's
  perspective.  The only affect it should have on users is to better
  the detection of metric values crossing thresholds on cluster
  deployments.

testing/btest/Baseline/policy.frameworks.metrics.cluster-intermediate-update/manager-1.notice.log

@@ -0,0 +1,2 @@
+# ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	note	msg	sub	src	dst	p	n	peer_descr	actions	policy_items	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude	metric_index.host	metric_index.str	metric_index.network
+1313897486.017657	-	-	-	-	-	Test_Notice	Threshold crossed by metric_index(host=1.2.3.4) 100/100	-	1.2.3.4	-	-	100	manager-1	Notice::ACTION_LOG	4	-	-	-	-	-	-	1.2.3.4	-	-

testing/btest/Baseline/policy.frameworks.metrics.notice/notice.log

@@ -1,4 +1,3 @@
 # ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	note	msg	sub	src	dst	p	n	peer_descr	actions	policy_items	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude	metric_index.host	metric_index.str	metric_index.network
-1313508844.321207	-	-	-	-	-	Test_Notice	Metrics threshold crossed by metric_index(host=6.5.4.3) 2/1	-	6.5.4.3	-	-	2	bro	Notice::ACTION_LOG	4	-	-	-	-	-	-	6.5.4.3	-	-
-1313508844.321207	-	-	-	-	-	Test_Notice	Metrics threshold crossed by metric_index(host=1.2.3.4) 3/1	-	1.2.3.4	-	-	3	bro	Notice::ACTION_LOG	4	-	-	-	-	-	-	1.2.3.4	-	-
-1313508844.321207	-	-	-	-	-	Test_Notice	Metrics threshold crossed by metric_index(host=7.2.1.5) 1/1	-	7.2.1.5	-	-	1	bro	Notice::ACTION_LOG	4	-	-	-	-	-	-	7.2.1.5	-	-
+1313685819.326521	-	-	-	-	-	Test_Notice	Threshold crossed by metric_index(host=1.2.3.4) 3/2	-	1.2.3.4	-	-	3	bro	Notice::ACTION_LOG	4	-	-	-	-	-	-	1.2.3.4	-	-
+1313685819.326521	-	-	-	-	-	Test_Notice	Threshold crossed by metric_index(host=6.5.4.3) 2/2	-	6.5.4.3	-	-	2	bro	Notice::ACTION_LOG	4	-	-	-	-	-	-	6.5.4.3	-	-

testing/btest/policy/frameworks/metrics/basic-cluster.bro

@@ -24,15 +24,11 @@ event bro_init() &priority=5
 	Metrics::add_filter(TEST_METRIC, 
 		[$name="foo-bar",
 		 $break_interval=3secs]);
+		
+	if ( Cluster::local_node_type() == Cluster::WORKER )
+		{
+		Metrics::add_data(TEST_METRIC, [$host=1.2.3.4], 3);
+		Metrics::add_data(TEST_METRIC, [$host=6.5.4.3], 2);
+		Metrics::add_data(TEST_METRIC, [$host=7.2.1.5], 1);
+		}
 	}
-
-@if ( Cluster::local_node_type() == Cluster::WORKER )
-
-event bro_init()
-	{
-	Metrics::add_data(TEST_METRIC, [$host=1.2.3.4], 3);
-	Metrics::add_data(TEST_METRIC, [$host=6.5.4.3], 2);
-	Metrics::add_data(TEST_METRIC, [$host=7.2.1.5], 1);
-	}
-
-@endif

testing/btest/policy/frameworks/metrics/cluster-intermediate-update.bro

@@ -0,0 +1,54 @@
+# @TEST-EXEC: btest-bg-run manager-1 BROPATH=$BROPATH:.. CLUSTER_NODE=manager-1 bro %INPUT
+# @TEST-EXEC: btest-bg-run proxy-1   BROPATH=$BROPATH:.. CLUSTER_NODE=proxy-1 bro %INPUT
+# @TEST-EXEC: sleep 1
+# @TEST-EXEC: btest-bg-run worker-1  BROPATH=$BROPATH:.. CLUSTER_NODE=worker-1 bro %INPUT 
+# @TEST-EXEC: btest-bg-run worker-2  BROPATH=$BROPATH:.. CLUSTER_NODE=worker-2 bro %INPUT
+# @TEST-EXEC: btest-bg-wait -k 5
+# @TEST-EXEC: btest-diff manager-1/notice.log
+
+@TEST-START-FILE cluster-layout.bro
+redef Cluster::nodes = {
+	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp, $workers=set("worker-1")],
+	["proxy-1"] = [$node_type=Cluster::PROXY,     $ip=127.0.0.1, $p=37758/tcp, $manager="manager-1", $workers=set("worker-1")],
+	["worker-1"] = [$node_type=Cluster::WORKER,   $ip=127.0.0.1, $p=37760/tcp, $manager="manager-1", $proxy="proxy-1", $interface="eth0"],
+	["worker-2"] = [$node_type=Cluster::WORKER,   $ip=127.0.0.1, $p=37761/tcp, $manager="manager-1", $proxy="proxy-1", $interface="eth1"],
+};
+@TEST-END-FILE
+
+redef enum Notice::Type += {
+	Test_Notice,
+};
+
+redef enum Metrics::ID += {
+	TEST_METRIC,
+};
+
+event bro_init() &priority=5
+	{
+	Metrics::add_filter(TEST_METRIC,
+		[$name="foo-bar",
+		 $break_interval=1hr,
+		 $note=Test_Notice,
+		 $notice_threshold=100,
+		 $log=T]);
+	}
+
+@if ( Cluster::local_node_type() == Cluster::WORKER )
+
+event do_metrics(i: count)
+	{
+	# Worker-1 will trigger an intermediate update and then if everything
+	# works correctly, the data from worker-2 will hit the threshold and
+	# should trigger the notice.
+	Metrics::add_data(TEST_METRIC, [$host=1.2.3.4], i);
+	}
+
+event bro_init()
+	{
+	if ( Cluster::node == "worker-1" )
+		schedule 2sec { do_metrics(99) };
+	if ( Cluster::node == "worker-2" )
+		event do_metrics(1);
+	}
+
+@endif

testing/btest/policy/frameworks/metrics/notice.bro

@@ -1,6 +1,7 @@
 # @TEST-EXEC: bro %INPUT
 # @TEST-EXEC: btest-diff notice.log
 
+
 redef enum Notice::Type += {
 	Test_Notice,
 };
@@ -15,7 +16,7 @@ event bro_init() &priority=5
 		[$name="foo-bar",
 		 $break_interval=3secs,
 		 $note=Test_Notice,
-		 $notice_threshold=1,
+		 $notice_threshold=2,
 		 $log=F]);
 	Metrics::add_data(TEST_METRIC, [$host=1.2.3.4], 3);
 	Metrics::add_data(TEST_METRIC, [$host=6.5.4.3], 2);