Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-04 23:58:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

change Notice::suppressing to be a table of times

Browse source 
Instead of storing the entire notice in Notice::suppressing,
just store the time the notice should be suppressed until.

This has the same functionality, except that end_suppression can no
longer be generated.
This commit is contained in:
Justin Azoff 2013-12-31 10:09:44 -05:00
parent 1411164d05
commit ec3f684c61
2 changed files with 7 additions and 16 deletions
Download patch file Download diff file Expand all files Collapse all files

3
scripts/base/frameworks/notice/cluster.bro
View file

@ -23,7 +23,8 @@ redef Cluster::worker2manager_events += /Notice::cluster_notice/;
@if ( Cluster::local_node_type() != Cluster::MANAGER ) @if ( Cluster::local_node_type() != Cluster::MANAGER )
event Notice::begin_suppression(n: Notice::Info) event Notice::begin_suppression(n: Notice::Info)
{ {
suppressing[n$note, n$identifier] = n; local suppress_until = n$ts + n$suppress_for;
suppressing[n$note, n$identifier] = suppress_until;
} }
@endif @endif

20
scripts/base/frameworks/notice/main.bro
View file

@ -242,12 +242,6 @@ export {
## being suppressed. ## being suppressed.
global suppressed: event(n: Notice::Info); global suppressed: event(n: Notice::Info);
## This event is generated when a notice stops being suppressed.
##
## n: The record containing notice data regarding the notice type
## that was being suppressed.
global end_suppression: event(n: Notice::Info);
## Call this function to send a notice in an email. It is already used ## Call this function to send a notice in an email. It is already used
## by default with the built in :bro:enum:`Notice::ACTION_EMAIL` and ## by default with the built in :bro:enum:`Notice::ACTION_EMAIL` and
## :bro:enum:`Notice::ACTION_PAGE` actions. ## :bro:enum:`Notice::ACTION_PAGE` actions.
@ -285,27 +279,22 @@ export {
} }
# This is used as a hack to implement per-item expiration intervals. # This is used as a hack to implement per-item expiration intervals.
function per_notice_suppression_interval(t: table[Notice::Type, string] of Notice::Info, idx: any): interval function per_notice_suppression_interval(t: table[Notice::Type, string] of time, idx: any): interval
{ {
local n: Notice::Type; local n: Notice::Type;
local s: string; local s: string;
[n,s] = idx; [n,s] = idx;
local suppress_time = t[n,s]$suppress_for - (network_time() - t[n,s]$ts); local suppress_time = t[n,s] - network_time();
if ( suppress_time < 0secs ) if ( suppress_time < 0secs )
suppress_time = 0secs; suppress_time = 0secs;
# If there is no more suppression time left, the notice needs to be sent
# to the end_suppression event.
if ( suppress_time == 0secs )
event Notice::end_suppression(t[n,s]);
return suppress_time; return suppress_time;
} }
# This is the internally maintained notice suppression table. It's # This is the internally maintained notice suppression table. It's
# indexed on the Notice::Type and the $identifier field from the notice. # indexed on the Notice::Type and the $identifier field from the notice.
global suppressing: table[Type, string] of Notice::Info = {} global suppressing: table[Type, string] of time = {}
&create_expire=0secs &create_expire=0secs
&expire_func=per_notice_suppression_interval; &expire_func=per_notice_suppression_interval;
@ -467,7 +456,8 @@ hook Notice::notice(n: Notice::Info) &priority=-5
[n$note, n$identifier] !in suppressing && [n$note, n$identifier] !in suppressing &&
n$suppress_for != 0secs ) n$suppress_for != 0secs )
{ {
suppressing[n$note, n$identifier] = n; local suppress_until = n$ts + n$suppress_for;
suppressing[n$note, n$identifier] = suppress_until;
event Notice::begin_suppression(n); event Notice::begin_suppression(n);
} }
} }