Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-05 16:18:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
zeek/scripts/policy/misc/app-metrics.bro
Seth Hall 257b460b18 Updated the app-metrics script to the new metrics api. 
- Inconsequential change to scan.bro.
2012-11-16 03:05:43 -05:00

73 lines
2.1 KiB
Text
Raw Blame History

@load base/protocols/http
@load base/protocols/ssl
@load base/frameworks/metrics
module AppMetrics;
export {
## The metric break interval for the default stats collected by this script.
const break_interval = 1hr &redef;
}
event bro_init() &priority=3
{
Metrics::add_filter("apps.bytes", [$every=break_interval, $measure=set(Metrics::SUM)]);
Metrics::add_filter("apps.hits", [$every=break_interval, $measure=set(Metrics::SUM, Metrics::UNIQUE)]);
}
function do_metric(id: conn_id, hostname: string, size: count)
{
if ( /youtube/ in hostname && size > 512*1024 )
{
Metrics::add_data("apps.bytes", [$str="youtube"], [$num=size]);
Metrics::add_data("apps.hits", [$str="youtube"], [$str=cat(id$orig_h)]);
}
else if ( /facebook.com|fbcdn.net/ in hostname && size > 20 )
{
Metrics::add_data("apps.bytes", [$str="facebook"], [$num=size]);
Metrics::add_data("apps.hits", [$str="facebook"], [$str=cat(id$orig_h)]);
}
else if ( /google.com/ in hostname && size > 20 )
{
Metrics::add_data("apps.bytes", [$str="google"], [$num=size]);
Metrics::add_data("apps.hits", [$str="google"], [$str=cat(id$orig_h)]);
}
else if ( /nflximg.com/ in hostname && size > 200*1024 )
{
Metrics::add_data("apps.bytes", [$str="netflix"], [$num=size]);
Metrics::add_data("apps.hits", [$str="netflix"], [$str=cat(id$orig_h)]);
}
else if ( /pandora.com/ in hostname && size > 512*1024 )
{
Metrics::add_data("apps.bytes", [$str="pandora"], [$num=size]);
Metrics::add_data("apps.hits", [$str="pandora"], [$str=cat(id$orig_h)]);
}
else if ( /gmail.com/ in hostname && size > 20 )
{
Metrics::add_data("apps.bytes", [$str="gmail"], [$num=size]);
Metrics::add_data("apps.hits", [$str="gmail"], [$str=cat(id$orig_h)]);
}
}
redef record connection += {
resp_hostname: string &optional;
};
event ssl_established(c: connection)
{
if ( c?$ssl && c$ssl?$server_name )
c$resp_hostname = c$ssl$server_name;
}
event connection_finished(c: connection)
{
if ( c?$resp_hostname )
do_metric(c$id, c$resp_hostname, c$resp$num_bytes_ip);
}
event HTTP::log_http(rec: HTTP::Info)
{
if( rec?$host )
do_metric(rec$id, rec$host, rec$response_body_len);
}
Reference in a new issue View git blame Copy permalink