mirror of
https://github.com/zeek/zeek.git
synced 2025-10-16 21:48:21 +00:00
Merge remote-tracking branch 'origin/topic/jsiwek/empty-lines'
* origin/topic/jsiwek/empty-lines: Add 'smtp_excessive_pending_cmds' weird Fix SMTP command string comparisons Improve handling of empty lines in several text protocol analyzers Add rate-limiting sampling mechanism for weird events Teach timestamp canonifier about timestamps before ~2001
This commit is contained in:
Jon Siwek
commit
bcf97f70ea
31 changed files with 1078 additions and 15 deletions
|
|
@ -82,6 +82,13 @@ type addr_vec: vector of addr;
|
|||
## directly and then remove this alias.
|
||||
type table_string_of_string: table[string] of string;
|
||||
|
||||
## A table of counts indexed by strings.
|
||||
##
|
||||
## .. todo:: We need this type definition only for declaring builtin functions
|
||||
## via ``bifcl``. We should extend ``bifcl`` to understand composite types
|
||||
## directly and then remove this alias.
|
||||
type table_string_of_count: table[string] of count;
|
||||
|
||||
## A set of file analyzer tags.
|
||||
##
|
||||
## .. todo:: We need this type definition only for declaring builtin functions
|
||||
|
|
@ -626,6 +633,17 @@ type BrokerStats: record {
|
|||
num_ids_outgoing: count;
|
||||
};
|
||||
|
||||
## Statistics about reporter messages and weirds.
|
||||
##
|
||||
## .. bro:see:: get_reporter_stats
|
||||
type ReporterStats: record {
|
||||
## Number of total weirds encountered, before any rate-limiting.
|
||||
weirds: count;
|
||||
## Number of times each individual weird is encountered, before any
|
||||
## rate-limiting is applied.
|
||||
weirds_by_type: table[string] of count;
|
||||
};
|
||||
|
||||
## Deprecated.
|
||||
##
|
||||
## .. todo:: Remove. It's still declared internally but doesn't seem used anywhere
|
||||
|
|
@ -4826,6 +4844,35 @@ export {
|
|||
type Cluster::Pool: record {};
|
||||
}
|
||||
|
||||
module Weird;
|
||||
export {
|
||||
## Prevents rate-limiting sampling of any weirds named in the table.
|
||||
const sampling_whitelist: set[string] &redef;
|
||||
|
||||
## How many weirds of a given type to tolerate before sampling begins.
|
||||
## i.e. this many consecutive weirds of a given type will be allowed to
|
||||
## raise events for script-layer handling before being rate-limited.
|
||||
const sampling_threshold = 25 &redef;
|
||||
|
||||
## The rate-limiting sampling rate. One out of every of this number of
|
||||
## rate-limited weirds of a given type will be allowed to raise events
|
||||
## for further script-layer handling.
|
||||
const sampling_rate = 1000 &redef;
|
||||
|
||||
## How long a weird of a given type is allowed to keep state/counters in
|
||||
## memory. For "net" weirds an expiration timer starts per weird name when
|
||||
## first initializing its counter. For "flow" weirds an expiration timer
|
||||
## starts once per src/dst IP pair for the first weird of any name. For
|
||||
## "conn" weirds, counters and expiration timers are kept for the duration
|
||||
## of the connection for each named weird and reset when necessary. e.g.
|
||||
## if a "conn" weird by the name of "foo" is seen more than
|
||||
## :bro:see:`Weird::sampling_threshold` times, then an expiration timer
|
||||
## begins for "foo" and upon triggering will reset the counter for "foo"
|
||||
## and unthrottle its rate-limiting until it once again exceeds the
|
||||
## threshold.
|
||||
const sampling_duration = 10min &redef;
|
||||
}
|
||||
|
||||
module GLOBAL;
|
||||
|
||||
## Seed for hashes computed internally for probabilistic data structures. Using
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue