mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 06:38:20 +00:00
995368e68c
This changes many weird names to move non-static content from the weird name into the "addl" field to help ensure the total number of weird names is reasonably bounded. Note the net_weird and flow_weird events do not have an "addl" parameter, so information may no longer be available in those cases -- to make it available again we'd need to either (1) define new events that contain such a parameter, or (2) change net_weird/flow_weird event signature (which is a breaking change for user-code at the moment). Also, the generic handling of binpac exceptions for analyzers which to not otherwise catch and handle them has been changed from a Weird to a ProtocolViolation. Finally, a new "file_weird" event has been added for reporting weirdness found during file analysis.
30 lines
636 B
C++
30 lines
636 B
C++
#include "WeirdState.h"
|
|
#include "Net.h"
|
|
|
|
bool PermitWeird(WeirdStateMap& wsm, const char* name, uint64_t threshold,
|
|
uint64_t rate, double duration)
|
|
{
|
|
auto& state = wsm[name];
|
|
++state.count;
|
|
|
|
if ( state.count <= threshold )
|
|
return true;
|
|
|
|
if ( state.count == threshold + 1)
|
|
state.sampling_start_time = network_time;
|
|
else
|
|
{
|
|
if ( network_time > state.sampling_start_time + duration )
|
|
{
|
|
state.sampling_start_time = 0;
|
|
state.count = 1;
|
|
return true;
|
|
}
|
|
}
|
|
|
|
auto num_above_threshold = state.count - threshold;
|
|
if ( rate )
|
|
return num_above_threshold % rate == 0;
|
|
else
|
|
return false;
|
|
}
|