mirror of
https://github.com/zeek/zeek.git
synced 2025-10-11 11:08:20 +00:00
Add high level api for thresholding that holds lists of thresholds
and raises an event for each threshold exactly once.
This commit is contained in:
Johanna Amann
parent
9290718bd6
commit
d876c044df
9 changed files with 381 additions and 44 deletions
|
|
@ -53,15 +53,10 @@ void ConnSize_Analyzer::ThresholdEvent(EventHandlerPtr f, uint64 threshold, bool
|
|||
ConnectionEvent(f, vl);
|
||||
}
|
||||
|
||||
void ConnSize_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, uint64 seq, const IP_Hdr* ip, int caplen)
|
||||
void ConnSize_Analyzer::CheckSizes(bool is_orig)
|
||||
{
|
||||
Analyzer::DeliverPacket(len, data, is_orig, seq, ip, caplen);
|
||||
|
||||
if ( is_orig )
|
||||
{
|
||||
orig_bytes += ip->TotalLen();
|
||||
orig_pkts ++;
|
||||
|
||||
if ( orig_bytes_thresh && orig_bytes >= orig_bytes_thresh )
|
||||
{
|
||||
ThresholdEvent(conn_bytes_threshold_crossed, orig_bytes_thresh, is_orig);
|
||||
|
|
@ -76,9 +71,6 @@ void ConnSize_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig,
|
|||
}
|
||||
else
|
||||
{
|
||||
resp_bytes += ip->TotalLen();
|
||||
resp_pkts ++;
|
||||
|
||||
if ( resp_bytes_thresh && resp_bytes >= resp_bytes_thresh )
|
||||
{
|
||||
ThresholdEvent(conn_bytes_threshold_crossed, resp_bytes_thresh, is_orig);
|
||||
|
|
@ -93,6 +85,25 @@ void ConnSize_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig,
|
|||
}
|
||||
}
|
||||
|
||||
void ConnSize_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, uint64 seq, const IP_Hdr* ip, int caplen)
|
||||
{
|
||||
Analyzer::DeliverPacket(len, data, is_orig, seq, ip, caplen);
|
||||
|
||||
if ( is_orig )
|
||||
{
|
||||
orig_bytes += ip->TotalLen();
|
||||
orig_pkts ++;
|
||||
|
||||
}
|
||||
else
|
||||
{
|
||||
resp_bytes += ip->TotalLen();
|
||||
resp_pkts ++;
|
||||
}
|
||||
|
||||
CheckSizes(is_orig);
|
||||
}
|
||||
|
||||
void ConnSize_Analyzer::SetThreshold(uint64 threshold, bool bytes, bool orig)
|
||||
{
|
||||
if ( bytes )
|
||||
|
|
@ -109,6 +120,9 @@ void ConnSize_Analyzer::SetThreshold(uint64 threshold, bool bytes, bool orig)
|
|||
else
|
||||
resp_pkts_thresh = threshold;
|
||||
}
|
||||
|
||||
// check if threshold is already crossed
|
||||
CheckSizes(orig);
|
||||
}
|
||||
|
||||
uint64_t ConnSize_Analyzer::GetThreshold(bool bytes, bool orig)
|
||||
|
|
|
|||
|
|
@ -30,6 +30,7 @@ public:
|
|||
protected:
|
||||
virtual void DeliverPacket(int len, const u_char* data, bool is_orig,
|
||||
uint64 seq, const IP_Hdr* ip, int caplen);
|
||||
void CheckSizes(bool is_orig);
|
||||
|
||||
void ThresholdEvent(EventHandlerPtr f, uint64 threshold, bool is_orig);
|
||||
|
||||
|
|
|
|||
|
|
@ -1,4 +1,6 @@
|
|||
## Generated for a connection that crossed a set byte threshold
|
||||
## Generated for a connection that crossed a set byte threshold. Note that this
|
||||
## is a low level event that can fire several times for the same threshold - you
|
||||
## should probably use ConnThreshold::bytes_threshold_crossed instead.
|
||||
##
|
||||
## c: the connection
|
||||
##
|
||||
|
|
@ -6,11 +8,13 @@
|
|||
##
|
||||
## is_orig: True if the threshold was crossed by the originator of the connection
|
||||
##
|
||||
## .. bro:see:: set_conn_packets_threshold set_conn_bytes_threshold conn_packets_threshold_crossed
|
||||
## get_conn_bytes_threshold get_conn_packets_threshold
|
||||
## .. bro:see:: set_current_conn_packets_threshold set_current_conn_bytes_threshold conn_packets_threshold_crossed
|
||||
## get_current_conn_bytes_threshold get_current_conn_packets_threshold
|
||||
event conn_bytes_threshold_crossed%(c: connection, threshold: count, is_orig: bool%);
|
||||
|
||||
## Generated for a connection that crossed a set packet threshold
|
||||
## Generated for a connection that crossed a set packet threshold. Note that this
|
||||
## is a low level event that can fire several times for the same threshold - you
|
||||
## should probably use ConnThreshold::packets_threshold_crossed instead.
|
||||
##
|
||||
## c: the connection
|
||||
##
|
||||
|
|
@ -18,6 +22,6 @@ event conn_bytes_threshold_crossed%(c: connection, threshold: count, is_orig: bo
|
|||
##
|
||||
## is_orig: True if the threshold was crossed by the originator of the connection
|
||||
##
|
||||
## .. bro:see:: set_conn_packets_threshold set_conn_bytes_threshold conn_bytes_threshold_crossed
|
||||
## get_conn_bytes_threshold get_conn_packets_threshold
|
||||
## .. bro:see:: set_current_conn_packets_threshold set_current_conn_bytes_threshold conn_bytes_threshold_crossed
|
||||
## get_current_conn_bytes_threshold get_current_conn_packets_threshold
|
||||
event conn_packets_threshold_crossed%(c: connection, threshold: count, is_orig: bool%);
|
||||
|
|
|
|||
|
|
@ -1,4 +1,3 @@
|
|||
|
||||
%%{
|
||||
#include "analyzer/protocol/conn-size/ConnSize.h"
|
||||
|
||||
|
|
@ -20,7 +19,9 @@ analyzer::Analyzer* GetConnsizeAnalyzer(Val* cid)
|
|||
|
||||
%%}
|
||||
|
||||
## Sets a threshold for connection sizes.
|
||||
## Sets the current byte threshold for connection sizes, overwriting any potential old
|
||||
## threshold. Be aware that in nearly any case you will want to use the high level API
|
||||
## instead (ConnThreshold::set_bytes_threshold).
|
||||
##
|
||||
## cid: The connection id.
|
||||
##
|
||||
|
|
@ -28,9 +29,9 @@ analyzer::Analyzer* GetConnsizeAnalyzer(Val* cid)
|
|||
##
|
||||
## is_orig: If true, threshold is set for bytes from originator, otherwhise for bytes from responder.
|
||||
##
|
||||
## .. bro:see:: set_conn_packets_threshold conn_bytes_threshold_crossed conn_packets_threshold_crossed
|
||||
## get_conn_bytes_threshold get_conn_packets_threshold
|
||||
function set_conn_bytes_threshold%(cid: conn_id, threshold: count, is_orig: bool%): bool
|
||||
## .. bro:see:: set_current_conn_packets_threshold conn_bytes_threshold_crossed conn_packets_threshold_crossed
|
||||
## get_current_conn_bytes_threshold get_current_conn_packets_threshold
|
||||
function set_current_conn_bytes_threshold%(cid: conn_id, threshold: count, is_orig: bool%): bool
|
||||
%{
|
||||
analyzer::Analyzer* a = GetConnsizeAnalyzer(cid);
|
||||
if ( ! a )
|
||||
|
|
@ -38,10 +39,12 @@ function set_conn_bytes_threshold%(cid: conn_id, threshold: count, is_orig: bool
|
|||
|
||||
static_cast<analyzer::conn_size::ConnSize_Analyzer*>(a)->SetThreshold(threshold, 1, is_orig);
|
||||
|
||||
return new Val(0, TYPE_BOOL);
|
||||
return new Val(1, TYPE_BOOL);
|
||||
%}
|
||||
|
||||
## Sets a threshold for connection packets.
|
||||
## Sets a threshold for connection packets, overwtiting any potential old thresholds.
|
||||
## Be aware that in nearly any case you will want to use the high level API
|
||||
## instead (ConnThreshold::set_packets_threshold).
|
||||
##
|
||||
## cid: The connection id.
|
||||
##
|
||||
|
|
@ -49,9 +52,9 @@ function set_conn_bytes_threshold%(cid: conn_id, threshold: count, is_orig: bool
|
|||
##
|
||||
## is_orig: If true, threshold is set for packets from originator, otherwhise for packets from responder.
|
||||
##
|
||||
## .. bro:see:: set_conn_bytes_threshold conn_bytes_threshold_crossed conn_packets_threshold_crossed
|
||||
## get_conn_bytes_threshold get_conn_packets_threshold
|
||||
function set_conn_packets_threshold%(cid: conn_id, threshold: count, is_orig: bool%): bool
|
||||
## .. bro:see:: set_current_conn_bytes_threshold conn_bytes_threshold_crossed conn_packets_threshold_crossed
|
||||
## get_current_conn_bytes_threshold get_current_conn_packets_threshold
|
||||
function set_current_conn_packets_threshold%(cid: conn_id, threshold: count, is_orig: bool%): bool
|
||||
%{
|
||||
analyzer::Analyzer* a = GetConnsizeAnalyzer(cid);
|
||||
if ( ! a )
|
||||
|
|
@ -59,7 +62,7 @@ function set_conn_packets_threshold%(cid: conn_id, threshold: count, is_orig: bo
|
|||
|
||||
static_cast<analyzer::conn_size::ConnSize_Analyzer*>(a)->SetThreshold(threshold, 0, is_orig);
|
||||
|
||||
return new Val(0, TYPE_BOOL);
|
||||
return new Val(1, TYPE_BOOL);
|
||||
%}
|
||||
|
||||
## Gets the current byte threshold size for a connection.
|
||||
|
|
@ -70,9 +73,9 @@ function set_conn_packets_threshold%(cid: conn_id, threshold: count, is_orig: bo
|
|||
##
|
||||
## Returns: 0 if no threshold is set or the threshold in bytes
|
||||
##
|
||||
## .. bro:see:: set_conn_packets_threshold conn_bytes_threshold_crossed conn_packets_threshold_crossed
|
||||
## get_conn_packets_threshold
|
||||
function get_conn_bytes_threshold%(cid: conn_id, is_orig: bool%): count
|
||||
## .. bro:see:: set_current_conn_packets_threshold conn_bytes_threshold_crossed conn_packets_threshold_crossed
|
||||
## get_current_conn_packets_threshold
|
||||
function get_current_conn_bytes_threshold%(cid: conn_id, is_orig: bool%): count
|
||||
%{
|
||||
analyzer::Analyzer* a = GetConnsizeAnalyzer(cid);
|
||||
if ( ! a )
|
||||
|
|
@ -91,9 +94,9 @@ function get_conn_bytes_threshold%(cid: conn_id, is_orig: bool%): count
|
|||
##
|
||||
## Returns: 0 if no threshold is set or the threshold in packets
|
||||
##
|
||||
## .. bro:see:: set_conn_packets_threshold conn_bytes_threshold_crossed conn_packets_threshold_crossed
|
||||
## get_conn_bytes_threshold
|
||||
function get_conn_packets_threshold%(cid: conn_id, is_orig: bool%): count
|
||||
## .. bro:see:: set_current_conn_packets_threshold conn_bytes_threshold_crossed conn_packets_threshold_crossed
|
||||
## get_current_conn_bytes_threshold
|
||||
function get_current_conn_packets_threshold%(cid: conn_id, is_orig: bool%): count
|
||||
%{
|
||||
analyzer::Analyzer* a = GetConnsizeAnalyzer(cid);
|
||||
if ( ! a )
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue