From bec98b98f33432e9e7c6f33f4ec9cbb8f9a3ba7d Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@corelight.com>
Date: Wed, 5 Sep 2018 12:59:57 -0700
Subject: [PATCH] Weird settings: make constants into options.

The new weird settings are now all updateable during runtime.
---
 scripts/base/frameworks/config/__load__.bro   |   1 +
 scripts/base/frameworks/config/weird.bro      |  44 +++
 scripts/base/init-bare.bro                    |   8 +-
 src/Reporter.cc                               |  14 +-
 src/Reporter.h                                |  82 +++-
 src/reporter.bif                              |  99 +++++
 .../config.log                                |  13 +
 .../output                                    | 360 ++++++++++++++++++
 .../scripts/base/frameworks/config/weird.bro  |  66 ++++
 9 files changed, 675 insertions(+), 12 deletions(-)
 create mode 100644 scripts/base/frameworks/config/weird.bro
 create mode 100644 testing/btest/Baseline/scripts.base.frameworks.config.weird/config.log
 create mode 100644 testing/btest/Baseline/scripts.base.frameworks.config.weird/output
 create mode 100644 testing/btest/scripts/base/frameworks/config/weird.bro

diff --git a/scripts/base/frameworks/config/__load__.bro b/scripts/base/frameworks/config/__load__.bro
index 0a7a8d0713..e27097abaf 100644
--- a/scripts/base/frameworks/config/__load__.bro
+++ b/scripts/base/frameworks/config/__load__.bro
@@ -1,2 +1,3 @@
 @load ./main
 @load ./input
+@load ./weird
diff --git a/scripts/base/frameworks/config/weird.bro b/scripts/base/frameworks/config/weird.bro
new file mode 100644
index 0000000000..bc311e3029
--- /dev/null
+++ b/scripts/base/frameworks/config/weird.bro
@@ -0,0 +1,44 @@
+##! This script sets up the config framework change handlers for weirds.
+
+@load ./main
+
+module Config;
+
+function weird_option_change_sampling_whitelist(ID: string, new_value: string_set, location: string) : string_set
+	{
+	if ( ID == "Weird::sampling_whitelist" )
+		{
+		Reporter::set_weird_sampling_whitelist(new_value);
+		}
+	return new_value;
+	}
+
+function weird_option_change_count(ID: string, new_value: count, location: string) : count
+	{
+	if ( ID == "Weird::sampling_threshold" )
+		{
+		Reporter::set_weird_sampling_threshold(new_value);
+		}
+	else if ( ID == "Weird::sampling_rate" )
+		{
+		Reporter::set_weird_sampling_rate(new_value);
+		}
+	return new_value;
+	}
+
+function weird_option_change_interval(ID: string, new_value: interval, location: string) : interval
+	{
+	if ( ID == "Weird::sampling_duration" )
+		{
+		Reporter::set_weird_sampling_duration(new_value);
+		}
+	return new_value;
+	}
+
+event bro_init() &priority=5
+	{
+	Option::set_change_handler("Weird::sampling_whitelist", weird_option_change_sampling_whitelist, 5);
+	Option::set_change_handler("Weird::sampling_threshold", weird_option_change_count, 5);
+	Option::set_change_handler("Weird::sampling_rate", weird_option_change_count, 5);
+	Option::set_change_handler("Weird::sampling_duration", weird_option_change_interval, 5);
+	}
diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro
index 2a2f41ce7a..93bcc203b7 100644
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@@ -4847,18 +4847,18 @@ export {
 module Weird;
 export {
 	## Prevents rate-limiting sampling of any weirds named in the table.
-	const sampling_whitelist: set[string] &redef;
+	option sampling_whitelist: set[string] = {};
 
 	## How many weirds of a given type to tolerate before sampling begins.
 	## I.e. this many consecutive weirds of a given type will be allowed to
 	## raise events for script-layer handling before being rate-limited.
-	const sampling_threshold = 25 &redef;
+	option sampling_threshold : count = 25;
 
 	## The rate-limiting sampling rate. One out of every of this number of
 	## rate-limited weirds of a given type will be allowed to raise events
 	## for further script-layer handling. Setting the sampling rate to 0
 	## will disable all output of rate-limited weirds.
-	const sampling_rate = 1000 &redef;
+	option sampling_rate : count = 1000;
 
 	## How long a weird of a given type is allowed to keep state/counters in
 	## memory. For "net" weirds an expiration timer starts per weird name when
@@ -4871,7 +4871,7 @@ export {
 	## begins for "foo" and upon triggering will reset the counter for "foo"
 	## and unthrottle its rate-limiting until it once again exceeds the
 	## threshold.
-	const sampling_duration = 10min &redef;
+	option sampling_duration = 10min;
 }
 
 module GLOBAL;
diff --git a/src/Reporter.cc b/src/Reporter.cc
index 5418cd49df..a21d0a0538 100644
--- a/src/Reporter.cc
+++ b/src/Reporter.cc
@@ -52,13 +52,13 @@ Reporter::~Reporter()
 
 void Reporter::InitOptions()
 	{
-	info_to_stderr = internal_const_val("Reporter::info_to_stderr")->AsBool();
-	warnings_to_stderr = internal_const_val("Reporter::warnings_to_stderr")->AsBool();
-	errors_to_stderr = internal_const_val("Reporter::errors_to_stderr")->AsBool();
-	weird_sampling_rate = internal_const_val("Weird::sampling_rate")->AsCount();
-	weird_sampling_threshold = internal_const_val("Weird::sampling_threshold")->AsCount();
-	weird_sampling_duration = internal_const_val("Weird::sampling_duration")->AsInterval();
-	auto wl_val = internal_const_val("Weird::sampling_whitelist")->AsTableVal();
+	info_to_stderr = internal_val("Reporter::info_to_stderr")->AsBool();
+	warnings_to_stderr = internal_val("Reporter::warnings_to_stderr")->AsBool();
+	errors_to_stderr = internal_val("Reporter::errors_to_stderr")->AsBool();
+	weird_sampling_rate = internal_val("Weird::sampling_rate")->AsCount();
+	weird_sampling_threshold = internal_val("Weird::sampling_threshold")->AsCount();
+	weird_sampling_duration = internal_val("Weird::sampling_duration")->AsInterval();
+	auto wl_val = internal_val("Weird::sampling_whitelist")->AsTableVal();
 	auto wl_table = wl_val->AsTable();
 
 	HashKey* k;
diff --git a/src/Reporter.h b/src/Reporter.h
index f5090ee91e..36f2f33d31 100644
--- a/src/Reporter.h
+++ b/src/Reporter.h
@@ -152,6 +152,87 @@ public:
 	const WeirdCountMap& GetWeirdsByType() const
 		{ return weird_count_by_type; }
 
+	/**
+	 * Sets the weird sampling whitelist.
+	 *
+	 * @param weird_sampling_whitelist New weird sampling whitelist.
+	 */
+	WeirdSet GetWeirdSamplingWhitelist() const
+		{
+		return weird_sampling_whitelist;
+		}
+
+	/**
+	 * Sets the weird sampling whitelist.
+	 *
+	 * @param weird_sampling_whitelist New weird sampling whitelist.
+	 */
+	void SetWeirdSamplingWhitelist(const WeirdSet &weird_sampling_whitelist)
+		{
+		Reporter::weird_sampling_whitelist = weird_sampling_whitelist;
+		}
+
+	/**
+	 * Gets the current weird sampling threshold.
+	 *
+	 * @return weird sampling threshold.
+	 */
+	uint64 GetWeirdSamplingThreshold() const
+		{
+		return weird_sampling_threshold;
+		}
+
+	/**
+	 * Sets the current weird sampling threshold.
+	 *
+	 * @param weird_sampling_threshold New weird sampling threshold.
+	 */
+	void SetWeirdSamplingThreshold(uint64 weird_sampling_threshold)
+		{
+		Reporter::weird_sampling_threshold = weird_sampling_threshold;
+		}
+
+	/**
+	 * Gets the current weird sampling rate.
+	 *
+	 * @return weird sampling rate.
+	 */
+	uint64 GetWeirdSamplingRate() const
+		{
+		return weird_sampling_rate;
+		}
+
+	/**
+	 * Sets the weird sampling rate.
+	 *
+	 * @param weird_sampling_rate New weird sampling rate.
+	 */
+	void SetWeirdSamplingRate(uint64 weird_sampling_rate)
+		{
+		Reporter::weird_sampling_rate = weird_sampling_rate;
+		}
+
+	/**
+	 * Gets the current weird sampling duration.
+	 *
+	 * @return weird sampling duration.
+	 */
+	double GetWeirdSamplingDuration() const
+		{
+		return weird_sampling_duration;
+		}
+
+	/**
+	 * Sets the current weird sampling duration. Please note that
+	 * this will not delete already running timers.
+	 *
+	 * @param weird_sampling_duration New weird sampling duration.
+	 */
+	void SetWeirdSamplingDuration(double weird_sampling_duration)
+		{
+		Reporter::weird_sampling_duration = weird_sampling_duration;
+		}
+
 private:
 	void DoLog(const char* prefix, EventHandlerPtr event, FILE* out,
 		   Connection* conn, val_list* addl, bool location, bool time,
@@ -178,7 +259,6 @@ private:
 
 	uint64 weird_count;
 	WeirdCountMap weird_count_by_type;
-
 	WeirdCountMap net_weird_state;
 	WeirdFlowMap flow_weird_state;
 
diff --git a/src/reporter.bif b/src/reporter.bif
index a6463f6226..92088e5fc9 100644
--- a/src/reporter.bif
+++ b/src/reporter.bif
@@ -112,3 +112,102 @@ function Reporter::conn_weird%(name: string, c: connection, addl: string &defaul
 	reporter->Weird(c, name->CheckString(), addl->CheckString());
 	return new Val(1, TYPE_BOOL);
 	%}
+
+## Gets the weird sampling whitelist
+##
+## Returns: Current weird sampling whitelist
+function Reporter::get_weird_sampling_whitelist%(%): string_set
+	%{
+	TableVal* set = new TableVal(string_set);
+	for ( auto el : reporter->GetWeirdSamplingWhitelist() )
+		{
+		set->Assign(new StringVal(el), nullptr);
+		}
+	return set;
+	%}
+
+## Sets the weird sampling whitelist
+##
+## whitelist: New weird sampling rate.
+##
+## Returns: Always true.
+function Reporter::set_weird_sampling_whitelist%(weird_sampling_whitelist: string_set%) : bool
+%{
+	auto wl_val = weird_sampling_whitelist->AsTableVal();
+	auto wl_table = wl_val->AsTable();
+	std::unordered_set<std::string> whitelist_set;
+
+	HashKey* k;
+	IterCookie* c = wl_table->InitForIteration();
+	TableEntryVal* v;
+
+	while ( (v = wl_table->NextEntry(k, c)) )
+		{
+		auto index = wl_val->RecoverIndex(k);
+		string key = index->Index(0)->AsString()->CheckString();
+		whitelist_set.emplace(move(key));
+		Unref(index);
+		delete k;
+		}
+	reporter->SetWeirdSamplingWhitelist(whitelist_set);
+	return new Val(1, TYPE_BOOL);
+%}
+
+## Gets the current weird sampling threshold
+##
+## Returns: current weird sampling threshold.
+function Reporter::get_weird_sampling_threshold%(%) : count
+	%{
+	return new Val(reporter->GetWeirdSamplingThreshold(), TYPE_COUNT);
+	%}
+
+## Sets the current weird sampling threshold
+##
+## threshold: New weird sampling threshold.
+##
+## Returns: Always returns true;
+function Reporter::set_weird_sampling_threshold%(weird_sampling_threshold: count%) : bool
+	%{
+	reporter->SetWeirdSamplingThreshold(weird_sampling_threshold);
+	return new Val(1, TYPE_BOOL);
+	%}
+
+
+## Gets the current weird sampling rate.
+##
+## Returns: weird sampling rate.
+function Reporter::get_weird_sampling_rate%(%) : count
+	%{
+	return new Val(reporter->GetWeirdSamplingRate(), TYPE_COUNT);
+	%}
+
+## Sets the weird sampling rate.
+##
+## weird_sampling_rate: New weird sampling rate.
+##
+## Returns: Always returns true.
+function Reporter::set_weird_sampling_rate%(weird_sampling_rate: count%) : bool
+	%{
+	reporter->SetWeirdSamplingRate(weird_sampling_rate);
+	return new Val(1, TYPE_BOOL);
+	%}
+
+## Gets the current weird sampling duration.
+##
+## Returns: weird sampling duration.
+function Reporter::get_weird_sampling_duration%(%) : interval
+	%{
+	return new Val(reporter->GetWeirdSamplingDuration(), TYPE_INTERVAL);
+	%}
+
+## Sets the current weird sampling duration. Please note that
+## this will not delete already running timers.
+##
+## weird_sampling_duration: New weird sampling duration.
+##
+## Returns: always returns True
+function Reporter::set_weird_sampling_duration%(weird_sampling_duration: interval%) : bool
+	%{
+	reporter->SetWeirdSamplingDuration(weird_sampling_duration);
+	return new Val(1, TYPE_BOOL);
+	%}
diff --git a/testing/btest/Baseline/scripts.base.frameworks.config.weird/config.log b/testing/btest/Baseline/scripts.base.frameworks.config.weird/config.log
new file mode 100644
index 0000000000..2203bd77d6
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.config.weird/config.log
@@ -0,0 +1,13 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	config
+#open	2018-09-05-19-30-42
+#fields	ts	id	old_value	new_value	location
+#types	time	string	string	string	string
+0.000000	Weird::sampling_duration	10.0 mins	5.0 secs	-
+0.000000	Weird::sampling_threshold	25	10	-
+0.000000	Weird::sampling_rate	1000	10	-
+0.000000	Weird::sampling_whitelist	(empty)	whitelisted_net_weird,whitelisted_flow_weird,whitelisted_conn_weird	-
+#close	2018-09-05-19-30-42
diff --git a/testing/btest/Baseline/scripts.base.frameworks.config.weird/output b/testing/btest/Baseline/scripts.base.frameworks.config.weird/output
new file mode 100644
index 0000000000..d66ea7af36
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.config.weird/output
@@ -0,0 +1,360 @@
+Config values set
+{
+whitelisted_net_weird,
+whitelisted_flow_weird,
+whitelisted_conn_weird
+}
+10
+10
+5.0
+net_weird, my_net_weird
+flow_weird, my_flow_weird
+conn_weird, my_conn_weird
+net_weird, whitelisted_net_weird
+flow_weird, whitelisted_flow_weird
+conn_weird, whitelisted_conn_weird
+net_weird, my_net_weird
+flow_weird, my_flow_weird
+conn_weird, my_conn_weird
+net_weird, whitelisted_net_weird
+flow_weird, whitelisted_flow_weird
+conn_weird, whitelisted_conn_weird
+net_weird, my_net_weird
+flow_weird, my_flow_weird
+conn_weird, my_conn_weird
+net_weird, whitelisted_net_weird
+flow_weird, whitelisted_flow_weird
+conn_weird, whitelisted_conn_weird
+net_weird, my_net_weird
+flow_weird, my_flow_weird
+conn_weird, my_conn_weird
+net_weird, whitelisted_net_weird
+flow_weird, whitelisted_flow_weird
+conn_weird, whitelisted_conn_weird
+net_weird, my_net_weird
+flow_weird, my_flow_weird
+conn_weird, my_conn_weird
+net_weird, whitelisted_net_weird
+flow_weird, whitelisted_flow_weird
+conn_weird, whitelisted_conn_weird
+net_weird, my_net_weird
+flow_weird, my_flow_weird
+conn_weird, my_conn_weird
+net_weird, whitelisted_net_weird
+flow_weird, whitelisted_flow_weird
+conn_weird, whitelisted_conn_weird
+net_weird, my_net_weird
+flow_weird, my_flow_weird
+conn_weird, my_conn_weird
+net_weird, whitelisted_net_weird
+flow_weird, whitelisted_flow_weird
+conn_weird, whitelisted_conn_weird
+net_weird, my_net_weird
+flow_weird, my_flow_weird
+conn_weird, my_conn_weird
+net_weird, whitelisted_net_weird
+flow_weird, whitelisted_flow_weird
+conn_weird, whitelisted_conn_weird
+net_weird, my_net_weird
+flow_weird, my_flow_weird
+conn_weird, my_conn_weird
+net_weird, whitelisted_net_weird
+flow_weird, whitelisted_flow_weird
+conn_weird, whitelisted_conn_weird
+net_weird, my_net_weird
+flow_weird, my_flow_weird
+conn_weird, my_conn_weird
+net_weird, whitelisted_net_weird
+flow_weird, whitelisted_flow_weird
+conn_weird, whitelisted_conn_weird
+net_weird, whitelisted_net_weird
+flow_weird, whitelisted_flow_weird
+conn_weird, whitelisted_conn_weird
+net_weird, whitelisted_net_weird
+flow_weird, whitelisted_flow_weird
+conn_weird, whitelisted_conn_weird
+net_weird, whitelisted_net_weird
+flow_weird, whitelisted_flow_weird
+conn_weird, whitelisted_conn_weird
+net_weird, whitelisted_net_weird
+flow_weird, whitelisted_flow_weird
+conn_weird, whitelisted_conn_weird
+net_weird, whitelisted_net_weird
+flow_weird, whitelisted_flow_weird
+conn_weird, whitelisted_conn_weird
+net_weird, whitelisted_net_weird
+flow_weird, whitelisted_flow_weird
+conn_weird, whitelisted_conn_weird
+net_weird, whitelisted_net_weird
+flow_weird, whitelisted_flow_weird
+conn_weird, whitelisted_conn_weird
+net_weird, whitelisted_net_weird
+flow_weird, whitelisted_flow_weird
+conn_weird, whitelisted_conn_weird
+net_weird, whitelisted_net_weird
+flow_weird, whitelisted_flow_weird
+conn_weird, whitelisted_conn_weird
+net_weird, my_net_weird
+flow_weird, my_flow_weird
+conn_weird, my_conn_weird
+net_weird, whitelisted_net_weird
+flow_weird, whitelisted_flow_weird
+conn_weird, whitelisted_conn_weird
+net_weird, whitelisted_net_weird
+flow_weird, whitelisted_flow_weird
+conn_weird, whitelisted_conn_weird
+net_weird, whitelisted_net_weird
+flow_weird, whitelisted_flow_weird
+conn_weird, whitelisted_conn_weird
+net_weird, whitelisted_net_weird
+flow_weird, whitelisted_flow_weird
+conn_weird, whitelisted_conn_weird
+net_weird, whitelisted_net_weird
+flow_weird, whitelisted_flow_weird
+conn_weird, whitelisted_conn_weird
+net_weird, whitelisted_net_weird
+flow_weird, whitelisted_flow_weird
+conn_weird, whitelisted_conn_weird
+net_weird, whitelisted_net_weird
+flow_weird, whitelisted_flow_weird
+conn_weird, whitelisted_conn_weird
+net_weird, whitelisted_net_weird
+flow_weird, whitelisted_flow_weird
+conn_weird, whitelisted_conn_weird
+net_weird, whitelisted_net_weird
+flow_weird, whitelisted_flow_weird
+conn_weird, whitelisted_conn_weird
+net_weird, whitelisted_net_weird
+flow_weird, whitelisted_flow_weird
+conn_weird, whitelisted_conn_weird
+net_weird, my_net_weird
+flow_weird, my_flow_weird
+conn_weird, my_conn_weird
+net_weird, whitelisted_net_weird
+flow_weird, whitelisted_flow_weird
+conn_weird, whitelisted_conn_weird
+net_weird, whitelisted_net_weird
+flow_weird, whitelisted_flow_weird
+conn_weird, whitelisted_conn_weird
+net_weird, whitelisted_net_weird
+flow_weird, whitelisted_flow_weird
+conn_weird, whitelisted_conn_weird
+net_weird, whitelisted_net_weird
+flow_weird, whitelisted_flow_weird
+conn_weird, whitelisted_conn_weird
+net_weird, whitelisted_net_weird
+flow_weird, whitelisted_flow_weird
+conn_weird, whitelisted_conn_weird
+net_weird, whitelisted_net_weird
+flow_weird, whitelisted_flow_weird
+conn_weird, whitelisted_conn_weird
+net_weird, whitelisted_net_weird
+flow_weird, whitelisted_flow_weird
+conn_weird, whitelisted_conn_weird
+net_weird, whitelisted_net_weird
+flow_weird, whitelisted_flow_weird
+conn_weird, whitelisted_conn_weird
+net_weird, whitelisted_net_weird
+flow_weird, whitelisted_flow_weird
+conn_weird, whitelisted_conn_weird
+net_weird, whitelisted_net_weird
+flow_weird, whitelisted_flow_weird
+conn_weird, whitelisted_conn_weird
+net_weird, my_net_weird
+flow_weird, my_flow_weird
+conn_weird, my_conn_weird
+net_weird, whitelisted_net_weird
+flow_weird, whitelisted_flow_weird
+conn_weird, whitelisted_conn_weird
+net_weird, whitelisted_net_weird
+flow_weird, whitelisted_flow_weird
+conn_weird, whitelisted_conn_weird
+net_weird, whitelisted_net_weird
+flow_weird, whitelisted_flow_weird
+conn_weird, whitelisted_conn_weird
+net_weird, whitelisted_net_weird
+flow_weird, whitelisted_flow_weird
+conn_weird, whitelisted_conn_weird
+net_weird, whitelisted_net_weird
+flow_weird, whitelisted_flow_weird
+conn_weird, whitelisted_conn_weird
+net_weird, whitelisted_net_weird
+flow_weird, whitelisted_flow_weird
+conn_weird, whitelisted_conn_weird
+net_weird, whitelisted_net_weird
+flow_weird, whitelisted_flow_weird
+conn_weird, whitelisted_conn_weird
+net_weird, whitelisted_net_weird
+flow_weird, whitelisted_flow_weird
+conn_weird, whitelisted_conn_weird
+net_weird, whitelisted_net_weird
+flow_weird, whitelisted_flow_weird
+conn_weird, whitelisted_conn_weird
+net_weird, whitelisted_net_weird
+flow_weird, whitelisted_flow_weird
+conn_weird, whitelisted_conn_weird
+net_weird, my_net_weird
+flow_weird, my_flow_weird
+conn_weird, my_conn_weird
+net_weird, whitelisted_net_weird
+flow_weird, whitelisted_flow_weird
+conn_weird, whitelisted_conn_weird
+net_weird, whitelisted_net_weird
+flow_weird, whitelisted_flow_weird
+conn_weird, whitelisted_conn_weird
+net_weird, whitelisted_net_weird
+flow_weird, whitelisted_flow_weird
+conn_weird, whitelisted_conn_weird
+net_weird, whitelisted_net_weird
+flow_weird, whitelisted_flow_weird
+conn_weird, whitelisted_conn_weird
+net_weird, whitelisted_net_weird
+flow_weird, whitelisted_flow_weird
+conn_weird, whitelisted_conn_weird
+net_weird, whitelisted_net_weird
+flow_weird, whitelisted_flow_weird
+conn_weird, whitelisted_conn_weird
+net_weird, whitelisted_net_weird
+flow_weird, whitelisted_flow_weird
+conn_weird, whitelisted_conn_weird
+net_weird, whitelisted_net_weird
+flow_weird, whitelisted_flow_weird
+conn_weird, whitelisted_conn_weird
+net_weird, whitelisted_net_weird
+flow_weird, whitelisted_flow_weird
+conn_weird, whitelisted_conn_weird
+net_weird, whitelisted_net_weird
+flow_weird, whitelisted_flow_weird
+conn_weird, whitelisted_conn_weird
+net_weird, my_net_weird
+flow_weird, my_flow_weird
+conn_weird, my_conn_weird
+net_weird, whitelisted_net_weird
+flow_weird, whitelisted_flow_weird
+conn_weird, whitelisted_conn_weird
+net_weird, my_net_weird
+flow_weird, my_flow_weird
+conn_weird, my_conn_weird
+net_weird, whitelisted_net_weird
+flow_weird, whitelisted_flow_weird
+conn_weird, whitelisted_conn_weird
+net_weird, my_net_weird
+flow_weird, my_flow_weird
+conn_weird, my_conn_weird
+net_weird, whitelisted_net_weird
+flow_weird, whitelisted_flow_weird
+conn_weird, whitelisted_conn_weird
+net_weird, my_net_weird
+flow_weird, my_flow_weird
+conn_weird, my_conn_weird
+net_weird, whitelisted_net_weird
+flow_weird, whitelisted_flow_weird
+conn_weird, whitelisted_conn_weird
+net_weird, my_net_weird
+flow_weird, my_flow_weird
+conn_weird, my_conn_weird
+net_weird, whitelisted_net_weird
+flow_weird, whitelisted_flow_weird
+conn_weird, whitelisted_conn_weird
+net_weird, my_net_weird
+flow_weird, my_flow_weird
+conn_weird, my_conn_weird
+net_weird, whitelisted_net_weird
+flow_weird, whitelisted_flow_weird
+conn_weird, whitelisted_conn_weird
+net_weird, my_net_weird
+flow_weird, my_flow_weird
+conn_weird, my_conn_weird
+net_weird, whitelisted_net_weird
+flow_weird, whitelisted_flow_weird
+conn_weird, whitelisted_conn_weird
+net_weird, my_net_weird
+flow_weird, my_flow_weird
+conn_weird, my_conn_weird
+net_weird, whitelisted_net_weird
+flow_weird, whitelisted_flow_weird
+conn_weird, whitelisted_conn_weird
+net_weird, my_net_weird
+flow_weird, my_flow_weird
+conn_weird, my_conn_weird
+net_weird, whitelisted_net_weird
+flow_weird, whitelisted_flow_weird
+conn_weird, whitelisted_conn_weird
+net_weird, my_net_weird
+flow_weird, my_flow_weird
+conn_weird, my_conn_weird
+net_weird, whitelisted_net_weird
+flow_weird, whitelisted_flow_weird
+conn_weird, whitelisted_conn_weird
+net_weird, my_net_weird
+flow_weird, my_flow_weird
+conn_weird, my_conn_weird
+net_weird, whitelisted_net_weird
+flow_weird, whitelisted_flow_weird
+conn_weird, whitelisted_conn_weird
+net_weird, whitelisted_net_weird
+flow_weird, whitelisted_flow_weird
+conn_weird, whitelisted_conn_weird
+net_weird, whitelisted_net_weird
+flow_weird, whitelisted_flow_weird
+conn_weird, whitelisted_conn_weird
+net_weird, whitelisted_net_weird
+flow_weird, whitelisted_flow_weird
+conn_weird, whitelisted_conn_weird
+net_weird, whitelisted_net_weird
+flow_weird, whitelisted_flow_weird
+conn_weird, whitelisted_conn_weird
+net_weird, whitelisted_net_weird
+flow_weird, whitelisted_flow_weird
+conn_weird, whitelisted_conn_weird
+net_weird, whitelisted_net_weird
+flow_weird, whitelisted_flow_weird
+conn_weird, whitelisted_conn_weird
+net_weird, whitelisted_net_weird
+flow_weird, whitelisted_flow_weird
+conn_weird, whitelisted_conn_weird
+net_weird, whitelisted_net_weird
+flow_weird, whitelisted_flow_weird
+conn_weird, whitelisted_conn_weird
+net_weird, whitelisted_net_weird
+flow_weird, whitelisted_flow_weird
+conn_weird, whitelisted_conn_weird
+net_weird, my_net_weird
+flow_weird, my_flow_weird
+conn_weird, my_conn_weird
+net_weird, whitelisted_net_weird
+flow_weird, whitelisted_flow_weird
+conn_weird, whitelisted_conn_weird
+net_weird, whitelisted_net_weird
+flow_weird, whitelisted_flow_weird
+conn_weird, whitelisted_conn_weird
+net_weird, whitelisted_net_weird
+flow_weird, whitelisted_flow_weird
+conn_weird, whitelisted_conn_weird
+net_weird, whitelisted_net_weird
+flow_weird, whitelisted_flow_weird
+conn_weird, whitelisted_conn_weird
+net_weird, whitelisted_net_weird
+flow_weird, whitelisted_flow_weird
+conn_weird, whitelisted_conn_weird
+net_weird, whitelisted_net_weird
+flow_weird, whitelisted_flow_weird
+conn_weird, whitelisted_conn_weird
+net_weird, whitelisted_net_weird
+flow_weird, whitelisted_flow_weird
+conn_weird, whitelisted_conn_weird
+net_weird, whitelisted_net_weird
+flow_weird, whitelisted_flow_weird
+conn_weird, whitelisted_conn_weird
+net_weird, whitelisted_net_weird
+flow_weird, whitelisted_flow_weird
+conn_weird, whitelisted_conn_weird
+net_weird, whitelisted_net_weird
+flow_weird, whitelisted_flow_weird
+conn_weird, whitelisted_conn_weird
+net_weird, my_net_weird
+flow_weird, my_flow_weird
+conn_weird, my_conn_weird
+net_weird, whitelisted_net_weird
+flow_weird, whitelisted_flow_weird
+conn_weird, whitelisted_conn_weird
diff --git a/testing/btest/scripts/base/frameworks/config/weird.bro b/testing/btest/scripts/base/frameworks/config/weird.bro
new file mode 100644
index 0000000000..ae3e0f2153
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/config/weird.bro
@@ -0,0 +1,66 @@
+# @TEST-EXEC: bro -r $TRACES/http/bro.org.pcap %INPUT >output
+# @TEST-EXEC: btest-diff output
+# @TEST-EXEC: btest-diff config.log
+
+event bro_init()
+	{
+	Config::set_value("Weird::sampling_duration", 5sec);
+	Config::set_value("Weird::sampling_threshold", 10);
+	Config::set_value("Weird::sampling_rate", 10);
+	Config::set_value("Weird::sampling_whitelist", set("whitelisted_net_weird", "whitelisted_flow_weird", "whitelisted_conn_weird"));
+	print "Config values set";
+	}
+
+event bro_init() &priority = -10
+	{
+	print Reporter::get_weird_sampling_whitelist();
+	print Reporter::get_weird_sampling_rate();
+	print Reporter::get_weird_sampling_threshold();
+	print Reporter::get_weird_sampling_duration();
+	}
+
+event conn_weird(name: string, c: connection, addl: string)
+	{
+	print "conn_weird", name;
+	}
+
+event flow_weird(name: string, src: addr, dst: addr)
+	{
+	print "flow_weird", name;
+	}
+
+event net_weird(name: string)
+	{
+	print "net_weird", name;
+	}
+
+event gen_weirds(c: connection)
+	{
+	local num = 30;
+
+	while ( num != 0 )
+		{
+		Reporter::net_weird("my_net_weird");
+		Reporter::flow_weird("my_flow_weird", c$id$orig_h, c$id$resp_h);
+		Reporter::conn_weird("my_conn_weird", c);
+
+		Reporter::net_weird("whitelisted_net_weird");
+		Reporter::flow_weird("whitelisted_flow_weird", c$id$orig_h, c$id$resp_h);
+		Reporter::conn_weird("whitelisted_conn_weird", c);
+		--num;
+		}
+	}
+
+global did_one_connection = F;
+
+event new_connection(c: connection)
+	{
+	if ( did_one_connection )
+		return;
+
+	did_one_connection = T;
+	event gen_weirds(c);             # should permit 10 + 2 of each "my" weird
+	schedule 2sec { gen_weirds(c) }; # should permit 3 of each "my" weird
+	schedule 7sec { gen_weirds(c) }; # should permit 10 + 2 of each "my" weird
+	# Total of 27 "my" weirds of each type and 90 of each "whitelisted" type
+	}