mirror of
https://github.com/zeek/zeek.git
synced 2025-10-04 15:48:19 +00:00
80 lines
2.4 KiB
Text
80 lines
2.4 KiB
Text
@load base/protocols/http
|
|
@load base/protocols/ssl
|
|
|
|
@load base/frameworks/metrics
|
|
|
|
module AppMetrics;
|
|
|
|
export {
|
|
## The metric break interval for the default stats collected by this script.
|
|
const break_interval = 1hr &redef;
|
|
}
|
|
|
|
event bro_init() &priority=3
|
|
{
|
|
Metrics::add_filter("apps.bytes", [$break_interval=break_interval]);
|
|
Metrics::add_filter("apps.views", [$break_interval=break_interval]);
|
|
Metrics::add_filter("apps.users", [$break_interval=break_interval]);
|
|
}
|
|
|
|
function do_metric(id: conn_id, hostname: string, size: count)
|
|
{
|
|
if ( /youtube/ in hostname && size > 512*1024 )
|
|
{
|
|
Metrics::add_data("apps.bytes", [$str="youtube"], size);
|
|
Metrics::add_data("apps.views", [$str="youtube"], 1);
|
|
Metrics::add_unique("apps.users", [$str="youtube"], cat(id$orig_h));
|
|
}
|
|
else if ( /facebook.com|fbcdn.net/ in hostname && size > 20 )
|
|
{
|
|
Metrics::add_data("apps.bytes", [$str="facebook"], size);
|
|
Metrics::add_data("apps.views", [$str="facebook"], 1);
|
|
Metrics::add_unique("apps.users", [$str="facebook"], cat(id$orig_h));
|
|
}
|
|
else if ( /google.com/ in hostname && size > 20 )
|
|
{
|
|
Metrics::add_data("apps.bytes", [$str="google"], size);
|
|
Metrics::add_data("apps.views", [$str="google"], 1);
|
|
Metrics::add_unique("apps.users", [$str="google"], cat(id$orig_h));
|
|
}
|
|
else if ( /nflximg.com/ in hostname && size > 200*1024 )
|
|
{
|
|
Metrics::add_data("apps.bytes", [$str="netflix"], size);
|
|
Metrics::add_data("apps.views", [$str="netflix"], 1);
|
|
Metrics::add_unique("apps.users", [$str="netflix"], cat(id$orig_h));
|
|
}
|
|
else if ( /pandora.com/ in hostname && size > 512*1024 )
|
|
{
|
|
Metrics::add_data("apps.bytes", [$str="pandora"], size);
|
|
Metrics::add_data("apps.views", [$str="pandora"], 1);
|
|
Metrics::add_unique("apps.users", [$str="pandora"], cat(id$orig_h));
|
|
}
|
|
else if ( /gmail.com/ in hostname && size > 20 )
|
|
{
|
|
Metrics::add_data("apps.bytes", [$str="gmail"], size);
|
|
Metrics::add_data("apps.views", [$str="gmail"], 1);
|
|
Metrics::add_unique("apps.users", [$str="gmail"], cat(id$orig_h));
|
|
}
|
|
}
|
|
|
|
redef record connection += {
|
|
resp_hostname: string &optional;
|
|
};
|
|
|
|
event ssl_established(c: connection)
|
|
{
|
|
if ( c?$ssl && c$ssl?$server_name )
|
|
c$resp_hostname = c$ssl$server_name;
|
|
}
|
|
|
|
event connection_finished(c: connection)
|
|
{
|
|
if ( c?$resp_hostname )
|
|
do_metric(c$id, c$resp_hostname, c$resp$num_bytes_ip);
|
|
}
|
|
|
|
event HTTP::log_http(rec: HTTP::Info)
|
|
{
|
|
if( rec?$host )
|
|
do_metric(rec$id, rec$host, rec$response_body_len);
|
|
}
|