Allow setting packet and byte thresholds for connections.

This extends the ConnSize analyzer to be able to raise events when each direction of a connection crosses a certain amount of bytes or packets. Thresholds are set using set_conn_bytes_threshold(c$id, [num-bytes], [direction]); and set_conn_packets_threshold(c$id, [num-packets], [direction]); respectively. They raise the event event conn_bytes_threshold_crossed(c: connection, threshold: count, is_orig: bool) and event conn_packets_threshold_crossed(c: connection, threshold: count, is_orig: bool) respectively. Current thresholds can be examined using get_conn_bytes_threshold and get_conn_packets_threshold Currently only one threshold can be set per connection. This also fixes a bug where child packet analyzers of the TCP analyzer where not found using FindChild.
2025-10-17 05:58:20 +00:00 · 2015-04-16 12:44:45 -07:00 · 2015-04-16 12:44:45 -07:00 · f7edf70882
commit f7edf70882
parent a129911272
10 changed files with 321 additions and 4 deletions
--- a/testing/btest/Baseline/core.conn-size-threshold/.stdout
+++ b/testing/btest/Baseline/core.conn-size-threshold/.stdout
@ -0,0 +1,23 @@
+0
+0
+0
+0
+Threshold set for [orig_h=192.168.1.77, orig_p=57640/tcp, resp_h=66.198.80.67, resp_p=6667/tcp]
+3000
+2000
+63
+50
+triggered bytes, [orig_h=192.168.1.77, orig_p=57640/tcp, resp_h=66.198.80.67, resp_p=6667/tcp], 2000, F
+triggered bytes, [orig_h=192.168.1.77, orig_p=57640/tcp, resp_h=66.198.80.67, resp_p=6667/tcp], 3000, T
+triggered packets, [orig_h=192.168.1.77, orig_p=57640/tcp, resp_h=66.198.80.67, resp_p=6667/tcp], 50, F
+0
+0
+0
+0
+Threshold set for [orig_h=192.168.1.77, orig_p=57655/tcp, resp_h=209.197.168.151, resp_p=1024/tcp]
+3000
+2000
+63
+50
+triggered bytes, [orig_h=192.168.1.77, orig_p=57655/tcp, resp_h=209.197.168.151, resp_p=1024/tcp], 2000, F
+triggered packets, [orig_h=192.168.1.77, orig_p=57640/tcp, resp_h=66.198.80.67, resp_p=6667/tcp], 63, T
--- a/testing/btest/core/conn-size-threshold.bro
+++ b/testing/btest/core/conn-size-threshold.bro
@ -0,0 +1,32 @@
+# @TEST-EXEC: bro -r $TRACES/irc-dcc-send.trace %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+event connection_established(c: connection)
+	{
+	print get_conn_bytes_threshold(c$id, T);
+	print get_conn_bytes_threshold(c$id, F);
+	print get_conn_packets_threshold(c$id, T);
+	print get_conn_packets_threshold(c$id, F);
+
+	print fmt("Threshold set for %s", cat(c$id));
+	set_conn_bytes_threshold(c$id, 3000, T);
+	set_conn_bytes_threshold(c$id, 2000, F);
+
+	set_conn_packets_threshold(c$id, 50, F);
+	set_conn_packets_threshold(c$id, 63, T);
+
+	print get_conn_bytes_threshold(c$id, T);
+	print get_conn_bytes_threshold(c$id, F);
+	print get_conn_packets_threshold(c$id, T);
+	print get_conn_packets_threshold(c$id, F);
+	}
+
+event conn_bytes_threshold_crossed(c: connection, threshold: count, is_orig: bool)
+	{
+	print "triggered bytes", c$id, threshold, is_orig;
+	}
+
+event conn_packets_threshold_crossed(c: connection, threshold: count, is_orig: bool)
+	{
+	print "triggered packets", c$id, threshold, is_orig;
+	}