mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 06:38:20 +00:00
ded98cd373
This is based on commit 2731def9159247e6da8a3191783c89683363689c from the zeek-docs repo.
45 lines
2 KiB
Text
45 lines
2 KiB
Text
@load base/frameworks/sumstats
|
|
|
|
# We use the connection_attempt event to limit our observations to those
|
|
# which were attempted and not successful.
|
|
event connection_attempt(c: connection)
|
|
{
|
|
# Make an observation!
|
|
# This observation is about the host attempting the connection.
|
|
# Each established connection counts as one so the observation is always 1.
|
|
SumStats::observe("conn attempted",
|
|
SumStats::Key($host=c$id$orig_h),
|
|
SumStats::Observation($num=1));
|
|
}
|
|
|
|
event zeek_init()
|
|
{
|
|
# Create the reducer.
|
|
# The reducer attaches to the "conn attempted" observation stream
|
|
# and uses the summing calculation on the observations. Keep
|
|
# in mind that there will be one result per key (connection originator).
|
|
local r1 = SumStats::Reducer($stream="conn attempted",
|
|
$apply=set(SumStats::SUM));
|
|
|
|
# Create the final sumstat.
|
|
# This is slightly different from the last example since we're providing
|
|
# a callback to calculate a value to check against the threshold with
|
|
# $threshold_val. The actual threshold itself is provided with $threshold.
|
|
# Another callback is provided for when a key crosses the threshold.
|
|
SumStats::create([$name = "finding scanners",
|
|
$epoch = 5min,
|
|
$reducers = set(r1),
|
|
# Provide a threshold.
|
|
$threshold = 5.0,
|
|
# Provide a callback to calculate a value from the result
|
|
# to check against the threshold field.
|
|
$threshold_val(key: SumStats::Key, result: SumStats::Result) =
|
|
{
|
|
return result["conn attempted"]$sum;
|
|
},
|
|
# Provide a callback for when a key crosses the threshold.
|
|
$threshold_crossed(key: SumStats::Key, result: SumStats::Result) =
|
|
{
|
|
print fmt("%s attempted %.0f or more connections", key$host, result["conn attempted"]$sum);
|
|
}]);
|
|
}
|