mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
0e191b25fe
This change adds two new hooks to the Intel framework that can be used to intercept added and removed indicators and their type. These hooks are fairly low-level. One immediate use-case is to count the number of indicators loaded per Intel::Type and enable and disable the corresponding event groups of the intel/seen scripts. I attempted to gauge the overhead and while it's definitely there, loading a file with ~500k DOMAIN entries takes somewhere around ~0.5 seconds hooks when populated via the min_data_store store mechanism. While that doesn't sound great, it actually takes the manager on my system 2.5 seconds to serialize and Cluster::publish() the min_data_store alone and its doing that serially for every active worker. Mostly to say that the bigger overhead in that area on the manager doing redundant work per worker. Co-authored-by: Mohan Dhawan <mohan@corelight.com> (cherry picked from commit 3366d81e98ef381d843f6d76628834fdcd622e25) |
||
|---|---|---|
| .. | ||
| benchmark/broker | ||
| btest | ||
| builtin-plugins | ||
| coverage | ||
| external | ||
| scripts | ||
| .gitignore | ||
| CMakeLists.txt | ||
| Makefile | ||
| README | ||
This directory contains suites for testing for Zeek's correct
operation:
btest/
An ever-growing set of small unit tests testing Zeek's
functionality.
external/
A framework for downloading additional test sets that run more
complex Zeek configuration on larger traces files. Due to their
size, these are not included directly. See the README for more
information.
scripts/
Helpers scripts used by some tests.