mirror of
https://github.com/zeek/zeek.git
synced 2025-10-11 02:58:20 +00:00
35827eeb31
The generation of weird events, by default, are now rate-limited according to these tunable options: - Weird::sampling_whitelist - Weird::sampling_threshold - Weird::sampling_rate - Weird::sampling_duration The new get_reporter_stats() BIF also allows one to query the total number of weirds generated (pre-sampling) which the new policy/misc/weird-stats.bro script uses periodically to populate a weird_stats.log. There's also new reporter BIFs to allow generating weirds from the script-layer such that they go through the same, internal rate-limiting/sampling mechanisms: - Reporter::conn_weird - Reporter::flow_weird - Reporter::net_weird Some of the code was adapted from previous work by Johanna Amann.
13 lines
304 B
Text
13 lines
304 B
Text
#separator \x09
|
|
#set_separator ,
|
|
#empty_field (empty)
|
|
#unset_field -
|
|
#path weird_stats
|
|
#open 2018-07-26-23-11-27
|
|
#fields ts name num_seen
|
|
#types time string count
|
|
1532646687.827249 weird3 1
|
|
1532646687.827249 weird2 1000
|
|
1532646687.827249 weird1 2000
|
|
1532646692.877464 weird1 2
|
|
#close 2018-07-26-23-11-34
|