Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
zeek/src/analyzer/protocol/conn-size/events.bif
Jan Grashoefer e6d8c3b072 Allow for multiple generic packet thresholds 
Co-authored-by: Arne Welzel <arne.welzel@corelight.com>
2025-07-08 11:29:06 +02:00

57 lines
No EOL
3 KiB
C++
Raw Blame History

## Generated for a connection that crossed a set byte threshold. Note that this
## is a low level event that should usually be avoided for user code. Use
## :zeek:see:`ConnThreshold::bytes_threshold_crossed` instead.
##
## c: the connection
##
## threshold: the threshold that was set
##
## is_orig: true if the threshold was crossed by the originator of the connection
##
## .. zeek:see:: set_current_conn_packets_threshold set_current_conn_bytes_threshold conn_packets_threshold_crossed
## get_current_conn_bytes_threshold get_current_conn_packets_threshold conn_duration_threshold_crossed
## set_current_conn_duration_threshold get_current_conn_duration_threshold
event conn_bytes_threshold_crossed%(c: connection, threshold: count, is_orig: bool%);
## Generated for a connection that crossed a set packet threshold. Note that this
## is a low level event that should usually be avoided for user code. Use
## :zeek:see:`ConnThreshold::packets_threshold_crossed` instead.
##
## c: the connection
##
## threshold: the threshold that was set
##
## is_orig: true if the threshold was crossed by the originator of the connection
##
## .. zeek:see:: set_current_conn_packets_threshold set_current_conn_bytes_threshold conn_bytes_threshold_crossed
## get_current_conn_bytes_threshold get_current_conn_packets_threshold conn_duration_threshold_crossed
## set_current_conn_duration_threshold get_current_conn_duration_threshold
event conn_packets_threshold_crossed%(c: connection, threshold: count, is_orig: bool%);
## Generated for a connection that crossed a set duration threshold. Note that this
## is a low level event that should usually be avoided for user code. Use
## :zeek:see:`ConnThreshold::duration_threshold_crossed` instead.
##
## Note that this event is not raised at the exact moment that a duration threshold is crossed; instead
## it is raised when the next packet is seen after the threshold has been crossed. On a connection that is
## idle, this can be raised significantly later.
##
## c: the connection
##
## threshold: the threshold that was set
##
## is_orig: true if the threshold was crossed by the originator of the connection
##
## .. zeek:see:: set_current_conn_packets_threshold set_current_conn_bytes_threshold conn_bytes_threshold_crossed
## get_current_conn_bytes_threshold get_current_conn_packets_threshold
## set_current_conn_duration_threshold get_current_conn_duration_threshold
event conn_duration_threshold_crossed%(c: connection, threshold: interval, is_orig: bool%);
## Generated for any IP-based session once :zeek:id:`ConnThreshold::generic_packet_thresholds` packets have been
## observed. Only one endpoint sending traffic is sufficient to trigger the event. This allows to handle new
## connections, while short interactions, like scans consisting of only a few packets, are ignored.
##
## c: the connection.
##
## threshold: the threshold that was set
event conn_generic_packet_threshold_crossed%(c: connection, threshold: count%);
Reference in a new issue View git blame Copy permalink