mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
0e191b25fe
This change adds two new hooks to the Intel framework that can be used to intercept added and removed indicators and their type. These hooks are fairly low-level. One immediate use-case is to count the number of indicators loaded per Intel::Type and enable and disable the corresponding event groups of the intel/seen scripts. I attempted to gauge the overhead and while it's definitely there, loading a file with ~500k DOMAIN entries takes somewhere around ~0.5 seconds hooks when populated via the min_data_store store mechanism. While that doesn't sound great, it actually takes the manager on my system 2.5 seconds to serialize and Cluster::publish() the min_data_store alone and its doing that serially for every active worker. Mostly to say that the bigger overhead in that area on the manager doing redundant work per worker. Co-authored-by: Mohan Dhawan <mohan@corelight.com> (cherry picked from commit 3366d81e98ef381d843f6d76628834fdcd622e25) |
||
|---|---|---|
| .. | ||
| files | ||
| frameworks | ||
| misc | ||
| packet-protocols | ||
| protocols | ||
| utils | ||
| init-bare.zeek | ||
| init-default.zeek | ||
| init-frameworks-and-bifs.zeek | ||
| init-supervisor.zeek | ||