mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
7eb849ddf4
This change adds two new hooks to the Intel framework that can be used to intercept added and removed indicators and their type. These hooks are fairly low-level. One immediate use-case is to count the number of indicators loaded per Intel::Type and enable and disable the corresponding event groups of the intel/seen scripts. I attempted to gauge the overhead and while it's definitely there, loading a file with ~500k DOMAIN entries takes somewhere around ~0.5 seconds hooks when populated via the min_data_store store mechanism. While that doesn't sound great, it actually takes the manager on my system 2.5 seconds to serialize and Cluster::publish() the min_data_store alone and its doing that serially for every active worker. Mostly to say that the bigger overhead in that area on the manager doing redundant work per worker. Co-authored-by: Mohan Dhawan <mohan@corelight.com> |
||
|---|---|---|
| .. | ||
| analyzer | ||
| broker | ||
| cluster | ||
| config | ||
| control | ||
| files | ||
| input | ||
| intel | ||
| logging | ||
| netcontrol | ||
| notice | ||
| openflow | ||
| packet-filter | ||
| reporter | ||
| signatures | ||
| software | ||
| spicy | ||
| storage | ||
| sumstats | ||
| supervisor | ||
| telemetry | ||
| tunnels | ||