Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Fix connection duration thresholding

Browse source 
Connection durations were being compared "less than" instead of "greater
than" the desired duration threshold as provided to
set_current_conn_bytes_threshold() or
ConnThreshold::set_duration_threshold()
This commit is contained in:
Jon Siwek 2020-04-06 13:32:32 -07:00
parent e66148a13a
commit bc5844b24c
4 changed files with 9 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

2
src/analyzer/protocol/conn-size/ConnSize.cc
View file

@ -90,7 +90,7 @@ void ConnSize_Analyzer::CheckThresholds(bool is_orig)
if ( duration_thresh != 0 ) if ( duration_thresh != 0 )
{ {
if ( duration_thresh > ( network_time - start_time ) && conn_duration_threshold_crossed ) if ( ( network_time - start_time ) > duration_thresh && conn_duration_threshold_crossed )
{ {
EnqueueConnEvent(conn_duration_threshold_crossed, EnqueueConnEvent(conn_duration_threshold_crossed,
IntrusivePtr{AdoptRef{}, BuildConnVal()}, IntrusivePtr{AdoptRef{}, BuildConnVal()},

7
testing/btest/Baseline/core.conn-size-threshold/.stdout
View file

@ -8,8 +8,8 @@ Threshold set for [orig_h=192.168.1.77, orig_p=57640/tcp, resp_h=66.198.80.67, r
2000 2000
63 63
50 50
0.0 0.1, 0.053051
triggered duration, [orig_h=192.168.1.77, orig_p=57640/tcp, resp_h=66.198.80.67, resp_p=6667/tcp], 0.1, T triggered duration, [orig_h=192.168.1.77, orig_p=57640/tcp, resp_h=66.198.80.67, resp_p=6667/tcp], 0.1, F, 0.10508
triggered bytes, [orig_h=192.168.1.77, orig_p=57640/tcp, resp_h=66.198.80.67, resp_p=6667/tcp], 2000, F triggered bytes, [orig_h=192.168.1.77, orig_p=57640/tcp, resp_h=66.198.80.67, resp_p=6667/tcp], 2000, F
triggered bytes, [orig_h=192.168.1.77, orig_p=57640/tcp, resp_h=66.198.80.67, resp_p=6667/tcp], 3000, T triggered bytes, [orig_h=192.168.1.77, orig_p=57640/tcp, resp_h=66.198.80.67, resp_p=6667/tcp], 3000, T
triggered packets, [orig_h=192.168.1.77, orig_p=57640/tcp, resp_h=66.198.80.67, resp_p=6667/tcp], 50, F triggered packets, [orig_h=192.168.1.77, orig_p=57640/tcp, resp_h=66.198.80.67, resp_p=6667/tcp], 50, F
@ -23,6 +23,7 @@ Threshold set for [orig_h=192.168.1.77, orig_p=57655/tcp, resp_h=209.197.168.151
2000 2000
63 63
50 50
0.1 0.0, 0.176573
triggered duration, [orig_h=192.168.1.77, orig_p=57655/tcp, resp_h=209.197.168.151, resp_p=1024/tcp], 0.1, T, 0.176573
triggered bytes, [orig_h=192.168.1.77, orig_p=57655/tcp, resp_h=209.197.168.151, resp_p=1024/tcp], 2000, F triggered bytes, [orig_h=192.168.1.77, orig_p=57655/tcp, resp_h=209.197.168.151, resp_p=1024/tcp], 2000, F
triggered packets, [orig_h=192.168.1.77, orig_p=57640/tcp, resp_h=66.198.80.67, resp_p=6667/tcp], 63, T triggered packets, [orig_h=192.168.1.77, orig_p=57640/tcp, resp_h=66.198.80.67, resp_p=6667/tcp], 63, T

4
testing/btest/Baseline/scripts.base.protocols.conn.threshold/.stdout
View file

@ -1,12 +1,12 @@
Threshold set for [orig_h=192.168.1.77, orig_p=57640/tcp, resp_h=66.198.80.67, resp_p=6667/tcp] Threshold set for [orig_h=192.168.1.77, orig_p=57640/tcp, resp_h=66.198.80.67, resp_p=6667/tcp]
triggered bytes, [orig_h=192.168.1.77, orig_p=57640/tcp, resp_h=66.198.80.67, resp_p=6667/tcp], 1, T triggered bytes, [orig_h=192.168.1.77, orig_p=57640/tcp, resp_h=66.198.80.67, resp_p=6667/tcp], 1, T
triggered duration, [orig_h=192.168.1.77, orig_p=57640/tcp, resp_h=66.198.80.67, resp_p=6667/tcp], 0.2, T triggered duration, [orig_h=192.168.1.77, orig_p=57640/tcp, resp_h=66.198.80.67, resp_p=6667/tcp], 0.2, F
triggered bytes, [orig_h=192.168.1.77, orig_p=57640/tcp, resp_h=66.198.80.67, resp_p=6667/tcp], 2000, F triggered bytes, [orig_h=192.168.1.77, orig_p=57640/tcp, resp_h=66.198.80.67, resp_p=6667/tcp], 2000, F
triggered bytes, [orig_h=192.168.1.77, orig_p=57640/tcp, resp_h=66.198.80.67, resp_p=6667/tcp], 2500, T triggered bytes, [orig_h=192.168.1.77, orig_p=57640/tcp, resp_h=66.198.80.67, resp_p=6667/tcp], 2500, T
triggered bytes, [orig_h=192.168.1.77, orig_p=57640/tcp, resp_h=66.198.80.67, resp_p=6667/tcp], 2700, T triggered bytes, [orig_h=192.168.1.77, orig_p=57640/tcp, resp_h=66.198.80.67, resp_p=6667/tcp], 2700, T
triggered packets, [orig_h=192.168.1.77, orig_p=57640/tcp, resp_h=66.198.80.67, resp_p=6667/tcp], 50, F triggered packets, [orig_h=192.168.1.77, orig_p=57640/tcp, resp_h=66.198.80.67, resp_p=6667/tcp], 50, F
Threshold set for [orig_h=192.168.1.77, orig_p=57655/tcp, resp_h=209.197.168.151, resp_p=1024/tcp] Threshold set for [orig_h=192.168.1.77, orig_p=57655/tcp, resp_h=209.197.168.151, resp_p=1024/tcp]
triggered bytes, [orig_h=192.168.1.77, orig_p=57655/tcp, resp_h=209.197.168.151, resp_p=1024/tcp], 1, T triggered bytes, [orig_h=192.168.1.77, orig_p=57655/tcp, resp_h=209.197.168.151, resp_p=1024/tcp], 1, T
triggered duration, [orig_h=192.168.1.77, orig_p=57655/tcp, resp_h=209.197.168.151, resp_p=1024/tcp], 0.2, T triggered duration, [orig_h=192.168.1.77, orig_p=57655/tcp, resp_h=209.197.168.151, resp_p=1024/tcp], 0.2, F
triggered bytes, [orig_h=192.168.1.77, orig_p=57655/tcp, resp_h=209.197.168.151, resp_p=1024/tcp], 2000, F triggered bytes, [orig_h=192.168.1.77, orig_p=57655/tcp, resp_h=209.197.168.151, resp_p=1024/tcp], 2000, F
triggered packets, [orig_h=192.168.1.77, orig_p=57640/tcp, resp_h=66.198.80.67, resp_p=6667/tcp], 52, F triggered packets, [orig_h=192.168.1.77, orig_p=57640/tcp, resp_h=66.198.80.67, resp_p=6667/tcp], 52, F

4
testing/btest/core/conn-size-threshold.zeek
View file

@ -23,7 +23,7 @@ event connection_established(c: connection)
print get_current_conn_bytes_threshold(c$id, F); print get_current_conn_bytes_threshold(c$id, F);
print get_current_conn_packets_threshold(c$id, T); print get_current_conn_packets_threshold(c$id, T);
print get_current_conn_packets_threshold(c$id, F); print get_current_conn_packets_threshold(c$id, F);
print get_current_conn_duration_threshold(c$id); print get_current_conn_duration_threshold(c$id), c$duration;
} }
event conn_bytes_threshold_crossed(c: connection, threshold: count, is_orig: bool) event conn_bytes_threshold_crossed(c: connection, threshold: count, is_orig: bool)
@ -38,5 +38,5 @@ event conn_packets_threshold_crossed(c: connection, threshold: count, is_orig: b
event conn_duration_threshold_crossed(c: connection, threshold: interval, is_orig: bool) event conn_duration_threshold_crossed(c: connection, threshold: interval, is_orig: bool)
{ {
print "triggered duration", c$id, threshold, is_orig; print "triggered duration", c$id, threshold, is_orig, c$duration;
} }