Allow for multiple generic packet thresholds

Co-authored-by: Arne Welzel <arne.welzel@corelight.com>

src/analyzer/protocol/conn-size/ConnSize.cc

@@ -11,6 +11,8 @@
 
 namespace zeek::analyzer::conn_size {
 
+std::vector<uint64_t> ConnSize_Analyzer::generic_pkt_thresholds;
+
 ConnSize_Analyzer::ConnSize_Analyzer(Connection* c) : Analyzer("CONNSIZE", c) { start_time = c->StartTime(); }
 
 void ConnSize_Analyzer::Init() {
@@ -25,6 +27,11 @@ void ConnSize_Analyzer::Init() {
     orig_pkts_thresh = 0;
     resp_bytes_thresh = 0;
     resp_pkts_thresh = 0;
+
+    generic_pkt_thresh = 0;
+    generic_pkt_thresh_next_idx = 0;
+    if ( conn_generic_packet_threshold_crossed )
+        NextGenericPacketThreshold();
 }
 
 void ConnSize_Analyzer::Done() { Analyzer::Done(); }
@@ -36,12 +43,19 @@ void ConnSize_Analyzer::ThresholdEvent(EventHandlerPtr f, uint64_t threshold, bo
     EnqueueConnEvent(f, ConnVal(), val_mgr->Count(threshold), val_mgr->Bool(is_orig));
 }
 
-void ConnSize_Analyzer::CheckThresholds(bool is_orig) {
-    static const auto generic_packet_threshold = id::find_const("ConnThreshold::generic_packet_threshold")->AsCount();
+void ConnSize_Analyzer::NextGenericPacketThreshold() {
+    if ( generic_pkt_thresh_next_idx >= generic_pkt_thresholds.size() ) {
+        generic_pkt_thresh = 0;
+        return;
+    }
 
-    if ( conn_generic_packet_threshold_crossed && generic_packet_threshold &&
-         (orig_pkts + resp_pkts) == generic_packet_threshold ) {
-        EnqueueConnEvent(conn_generic_packet_threshold_crossed, ConnVal());
+    generic_pkt_thresh = generic_pkt_thresholds[generic_pkt_thresh_next_idx++];
+}
+
+void ConnSize_Analyzer::CheckThresholds(bool is_orig) {
+    if ( generic_pkt_thresh && (orig_pkts + resp_pkts) == generic_pkt_thresh ) {
+        EnqueueConnEvent(conn_generic_packet_threshold_crossed, ConnVal(), val_mgr->Count(generic_pkt_thresh));
+        NextGenericPacketThreshold();
     }
 
     if ( is_orig ) {

src/analyzer/protocol/conn-size/ConnSize.h

@@ -26,9 +26,19 @@ public:
 
     static analyzer::Analyzer* Instantiate(Connection* conn) { return new ConnSize_Analyzer(conn); }
 
+    /**
+     * Update the generic packet thresholds.
+     *
+     * @param thresholds The generic packet thresholds to set.
+     */
+    static void SetGenericPacketThresholds(std::vector<uint64_t> thresholds) {
+        generic_pkt_thresholds = std::move(thresholds);
+    };
+
 protected:
     void DeliverPacket(int len, const u_char* data, bool is_orig, uint64_t seq, const IP_Hdr* ip, int caplen) override;
     void CheckThresholds(bool is_orig);
+    void NextGenericPacketThreshold();
 
     void ThresholdEvent(EventHandlerPtr f, uint64_t threshold, bool is_orig);
 
@@ -42,8 +52,13 @@ protected:
     uint64_t orig_pkts_thresh = 0;
     uint64_t resp_pkts_thresh = 0;
 
+    uint64_t generic_pkt_thresh = 0;
+    size_t generic_pkt_thresh_next_idx = 0;
+
     double start_time = 0.0;
     double duration_thresh = 0.0;
+
+    static std::vector<uint64_t> generic_pkt_thresholds;
 };
 
 // Exposed to make it available to script optimization.

src/analyzer/protocol/conn-size/Plugin.cc

@@ -2,6 +2,7 @@
 
 #include "zeek/plugin/Plugin.h"
 
+#include "zeek/Val.h"
 #include "zeek/analyzer/Component.h"
 #include "zeek/analyzer/protocol/conn-size/ConnSize.h"
 
@@ -18,6 +19,20 @@ public:
         config.description = "Connection size analyzer";
         return config;
     }
+
+    void InitPostScript() override {
+        // Load generic_packet_thresholds at InitPostScript() time.
+        auto t = id::find_const<TableVal>("ConnThreshold::generic_packet_thresholds");
+        std::vector<uint64_t> thresholds;
+        thresholds.reserve(t->Size());
+
+        auto lv = t->ToPureListVal();
+        for ( auto i = 0; i < lv->Length(); i++ )
+            thresholds.emplace_back(lv->Idx(i)->AsCount());
+        std::sort(thresholds.begin(), thresholds.end());
+
+        zeek::analyzer::conn_size::ConnSize_Analyzer::SetGenericPacketThresholds(thresholds);
+    }
 } plugin;
 
 } // namespace zeek::plugin::detail::Zeek_ConnSize

src/analyzer/protocol/conn-size/events.bif

@@ -47,9 +47,11 @@ event conn_packets_threshold_crossed%(c: connection, threshold: count, is_orig:
 ##               set_current_conn_duration_threshold get_current_conn_duration_threshold
 event conn_duration_threshold_crossed%(c: connection, threshold: interval, is_orig: bool%);
 
-## Generated for any IP-based session once :zeek:id:`ConnThreshold::generic_packet_threshold` packets have been
+## Generated for any IP-based session once :zeek:id:`ConnThreshold::generic_packet_thresholds` packets have been
 ## observed. Only one endpoint sending traffic is sufficient to trigger the event. This allows to handle new
 ## connections, while short interactions, like scans consisting of only a few packets, are ignored.
 ##
-## c: The connection.
-event conn_generic_packet_threshold_crossed%(c: connection%);
+## c: the connection.
+##
+## threshold: the threshold that was set
+event conn_generic_packet_threshold_crossed%(c: connection, threshold: count%);