From c5da9c351963f0cc1c4196f5711405147b15a886 Mon Sep 17 00:00:00 2001
From: Arne Welzel <arne.welzel@corelight.com>
Date: Mon, 7 Jul 2025 19:52:30 +0200
Subject: [PATCH] ConnSize: Load thresholds at InitPostScript() time

---
 src/analyzer/protocol/conn-size/ConnSize.cc | 22 ++++++++-------------
 src/analyzer/protocol/conn-size/ConnSize.h  |  9 +++++++++
 src/analyzer/protocol/conn-size/Plugin.cc   | 15 ++++++++++++++
 3 files changed, 32 insertions(+), 14 deletions(-)

diff --git a/src/analyzer/protocol/conn-size/ConnSize.cc b/src/analyzer/protocol/conn-size/ConnSize.cc
index 0e546c3848..c4237ffd01 100644
--- a/src/analyzer/protocol/conn-size/ConnSize.cc
+++ b/src/analyzer/protocol/conn-size/ConnSize.cc
@@ -11,6 +11,8 @@
 
 namespace zeek::analyzer::conn_size {
 
+std::vector<uint64_t> ConnSize_Analyzer::generic_pkt_thresholds;
+
 ConnSize_Analyzer::ConnSize_Analyzer(Connection* c) : Analyzer("CONNSIZE", c) { start_time = c->StartTime(); }
 
 void ConnSize_Analyzer::Init() {
@@ -42,24 +44,12 @@ void ConnSize_Analyzer::ThresholdEvent(EventHandlerPtr f, uint64_t threshold, bo
 }
 
 void ConnSize_Analyzer::NextGenericPacketThreshold() {
-    static std::vector<uint64_t> threshold_cache;
-    static bool have_cache = false;
-
-    if ( ! have_cache ) {
-        auto thresholds = id::find_const<TableVal>("ConnThreshold::generic_packet_thresholds");
-        auto lv = thresholds->ToPureListVal();
-        for ( auto i = 0; i < lv->Length(); i++ )
-            threshold_cache.emplace_back(lv->Idx(i)->InternalUnsigned());
-        std::sort(threshold_cache.begin(), threshold_cache.end());
-        have_cache = true;
-    }
-
-    if ( generic_pkt_thresh_next_idx >= threshold_cache.size() ) {
+    if ( generic_pkt_thresh_next_idx >= generic_pkt_thresholds.size() ) {
         generic_pkt_thresh = 0;
         return;
     }
 
-    generic_pkt_thresh = threshold_cache[generic_pkt_thresh_next_idx++];
+    generic_pkt_thresh = generic_pkt_thresholds[generic_pkt_thresh_next_idx++];
 }
 
 void ConnSize_Analyzer::CheckThresholds(bool is_orig) {
@@ -100,6 +90,10 @@ void ConnSize_Analyzer::CheckThresholds(bool is_orig) {
     }
 }
 
+void ConnSize_Analyzer::SetGenericPacketThresholds(std::vector<uint64_t> thresholds) {
+    generic_pkt_thresholds = std::move(thresholds);
+}
+
 void ConnSize_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, uint64_t seq, const IP_Hdr* ip,
                                       int caplen) {
     Analyzer::DeliverPacket(len, data, is_orig, seq, ip, caplen);
diff --git a/src/analyzer/protocol/conn-size/ConnSize.h b/src/analyzer/protocol/conn-size/ConnSize.h
index 28800b8986..267985768a 100644
--- a/src/analyzer/protocol/conn-size/ConnSize.h
+++ b/src/analyzer/protocol/conn-size/ConnSize.h
@@ -26,6 +26,13 @@ public:
 
     static analyzer::Analyzer* Instantiate(Connection* conn) { return new ConnSize_Analyzer(conn); }
 
+    /**
+     * Update the generic packet thersholds.
+     *
+     * @param thresholds The generic packet thresholds to set.
+     */
+    static void SetGenericPacketThresholds(std::vector<uint64_t> offsets);
+
 protected:
     void DeliverPacket(int len, const u_char* data, bool is_orig, uint64_t seq, const IP_Hdr* ip, int caplen) override;
     void CheckThresholds(bool is_orig);
@@ -48,6 +55,8 @@ protected:
 
     double start_time = 0.0;
     double duration_thresh = 0.0;
+
+    static std::vector<uint64_t> generic_pkt_thresholds;
 };
 
 // Exposed to make it available to script optimization.
diff --git a/src/analyzer/protocol/conn-size/Plugin.cc b/src/analyzer/protocol/conn-size/Plugin.cc
index 512fa71330..9c6561b2f9 100644
--- a/src/analyzer/protocol/conn-size/Plugin.cc
+++ b/src/analyzer/protocol/conn-size/Plugin.cc
@@ -2,6 +2,7 @@
 
 #include "zeek/plugin/Plugin.h"
 
+#include "zeek/Val.h"
 #include "zeek/analyzer/Component.h"
 #include "zeek/analyzer/protocol/conn-size/ConnSize.h"
 
@@ -18,6 +19,20 @@ public:
         config.description = "Connection size analyzer";
         return config;
     }
+
+    // Load generic_packet_thresholds at InitPostScript() time.
+    void InitPostScript() override {
+        auto t = id::find_const<TableVal>("ConnThreshold::generic_packet_thresholds");
+        std::vector<uint64_t> thresholds;
+        thresholds.reserve(t->Size());
+
+        auto lv = t->ToPureListVal();
+        for ( auto i = 0; i < lv->Length(); i++ )
+            thresholds.emplace_back(lv->Idx(i)->AsCount());
+        std::sort(thresholds.begin(), thresholds.end());
+
+        zeek::analyzer::conn_size::ConnSize_Analyzer::SetGenericPacketThresholds(thresholds);
+    }
 } plugin;
 
 } // namespace zeek::plugin::detail::Zeek_ConnSize