Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-17 05:58:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3
zeek/src/analyzer/protocol/conn-size/functions.bif
Johanna Amann f7edf70882 Allow setting packet and byte thresholds for connections. 
This extends the ConnSize analyzer to be able to raise events when each
direction of a connection crosses a certain amount of bytes or packets.

Thresholds are set using
set_conn_bytes_threshold(c$id, [num-bytes], [direction]);
and
set_conn_packets_threshold(c$id, [num-packets], [direction]);
respectively.

They raise the event
event conn_bytes_threshold_crossed(c: connection, threshold: count, is_orig: bool)
and
event conn_packets_threshold_crossed(c: connection, threshold: count, is_orig: bool)
respectively.

Current thresholds can be examined using
get_conn_bytes_threshold and get_conn_packets_threshold

Currently only one threshold can be set per connection.

This also fixes a bug where child packet analyzers of the TCP analyzer
where not found using FindChild.
2015-04-17 06:57:51 -07:00

106 lines
3.1 KiB
Text
Raw Blame History

%%{
#include "analyzer/protocol/conn-size/ConnSize.h"
analyzer::Analyzer* GetConnsizeAnalyzer(Val* cid)
{
Connection* c = sessions->FindConnection(cid);
if ( ! c )
{
reporter->Error("cannot find connection");
return 0;
}
analyzer::Analyzer* a = c->FindAnalyzer("CONNSIZE");
if ( ! a )
reporter->Error("connection does not have ConnSize analyzer");
return a;
}
%%}
## Sets a threshold for connection sizes.
##
## cid: The connection id.
##
## threshold: Threshold in bytes.
##
## is_orig: If true, threshold is set for bytes from originator, otherwhise for bytes from responder.
##
## .. bro:see:: set_conn_packets_threshold conn_bytes_threshold_crossed conn_packets_threshold_crossed
## get_conn_bytes_threshold get_conn_packets_threshold
function set_conn_bytes_threshold%(cid: conn_id, threshold: count, is_orig: bool%): bool
%{
analyzer::Analyzer* a = GetConnsizeAnalyzer(cid);
if ( ! a )
return new Val(0, TYPE_BOOL);
static_cast<analyzer::conn_size::ConnSize_Analyzer*>(a)->SetThreshold(threshold, 1, is_orig);
return new Val(0, TYPE_BOOL);
%}
## Sets a threshold for connection packets.
##
## cid: The connection id.
##
## threshold: Threshold in packets.
##
## is_orig: If true, threshold is set for packets from originator, otherwhise for packets from responder.
##
## .. bro:see:: set_conn_bytes_threshold conn_bytes_threshold_crossed conn_packets_threshold_crossed
## get_conn_bytes_threshold get_conn_packets_threshold
function set_conn_packets_threshold%(cid: conn_id, threshold: count, is_orig: bool%): bool
%{
analyzer::Analyzer* a = GetConnsizeAnalyzer(cid);
if ( ! a )
return new Val(0, TYPE_BOOL);
static_cast<analyzer::conn_size::ConnSize_Analyzer*>(a)->SetThreshold(threshold, 0, is_orig);
return new Val(0, TYPE_BOOL);
%}
## Gets the current byte threshold size for a connection.
##
## cid: The connection id.
##
## is_orig: If true, threshold of originator, otherwhise threshold of responder.
##
## Returns: 0 if no threshold is set or the threshold in bytes
##
## .. bro:see:: set_conn_packets_threshold conn_bytes_threshold_crossed conn_packets_threshold_crossed
## get_conn_packets_threshold
function get_conn_bytes_threshold%(cid: conn_id, is_orig: bool%): count
%{
analyzer::Analyzer* a = GetConnsizeAnalyzer(cid);
if ( ! a )
return new Val(0, TYPE_COUNT);
return new Val(
static_cast<analyzer::conn_size::ConnSize_Analyzer*>(a)->GetThreshold(1, is_orig),
TYPE_COUNT);
%}
## Gets the current packet threshold size for a connection.
##
## cid: The connection id.
##
## is_orig: If true, threshold of originator, otherwhise threshold of responder.
##
## Returns: 0 if no threshold is set or the threshold in packets
##
## .. bro:see:: set_conn_packets_threshold conn_bytes_threshold_crossed conn_packets_threshold_crossed
## get_conn_bytes_threshold
function get_conn_packets_threshold%(cid: conn_id, is_orig: bool%): count
%{
analyzer::Analyzer* a = GetConnsizeAnalyzer(cid);
if ( ! a )
return new Val(0, TYPE_COUNT);
return new Val(
static_cast<analyzer::conn_size::ConnSize_Analyzer*>(a)->GetThreshold(0, is_orig),
TYPE_COUNT);
%}
Reference in a new issue View git blame Copy permalink