mirror of
https://github.com/zeek/zeek.git
synced 2025-10-06 16:48:19 +00:00
0e191b25fe
This change adds two new hooks to the Intel framework that can be used to intercept added and removed indicators and their type. These hooks are fairly low-level. One immediate use-case is to count the number of indicators loaded per Intel::Type and enable and disable the corresponding event groups of the intel/seen scripts. I attempted to gauge the overhead and while it's definitely there, loading a file with ~500k DOMAIN entries takes somewhere around ~0.5 seconds hooks when populated via the min_data_store store mechanism. While that doesn't sound great, it actually takes the manager on my system 2.5 seconds to serialize and Cluster::publish() the min_data_store alone and its doing that serially for every active worker. Mostly to say that the bigger overhead in that area on the manager doing redundant work per worker. Co-authored-by: Mohan Dhawan <mohan@corelight.com> (cherry picked from commit 3366d81e98ef381d843f6d76628834fdcd622e25) |
||
|---|---|---|
| .. | ||
| path-prefix | ||
| cluster-indicator-inserted-new-min-store.zeek | ||
| cluster-indicator-inserted.zeek | ||
| cluster-transparency-with-proxy.zeek | ||
| cluster-transparency.zeek | ||
| expire-item.zeek | ||
| filter-item.zeek | ||
| input-and-match.zeek | ||
| match-subnet.zeek | ||
| read-file-dist-cluster.zeek | ||
| remove-item-cluster.zeek | ||
| remove-non-existing.zeek | ||
| seen-policy.zeek | ||
| updated-match.zeek | ||