base/utils/thresholds.zeek

GLOBAL

Functions for using multiple thresholds with a counting tracker. For example, you may want to generate a notice when something happens 10 times and again when it happens 100 times but nothing in between. You can use the check_threshold function to define your threshold points and the TrackCount variable where you are keeping track of your counter.

Namespace

GLOBAL

Summary

Redefinable Options

default_notice_thresholds: vector &redef

The thresholds you would like to use as defaults with the default_check_threshold function.

Types

TrackCount: record

Functions

check_threshold: function

This will check if a TrackCount variable has crossed any thresholds in a given set.

default_check_threshold: function

This will use the default_notice_thresholds variable to check a TrackCount variable to see if it has crossed another threshold.

new_track_count: function

Detailed Interface

Redefinable Options

default_notice_thresholds
Type

vector of count

Attributes

&redef

Default
[30, 100, 1000, 10000, 100000, 1000000, 10000000]

The thresholds you would like to use as defaults with the default_check_threshold function.

Types

TrackCount
Type

record

n: count &default = 0 &optional

The counter for the number of times something has happened.

index: count &default = 0 &optional

The index of the vector where the counter currently is. This is used to track which threshold is currently being watched for.

Functions

check_threshold
Type

function (v: vector of count, tracker: TrackCount) : bool

This will check if a TrackCount variable has crossed any thresholds in a given set.

Parameters
  • v – a vector holding counts that represent thresholds.

  • tracker – the record being used to track event counter and currently monitored threshold value.

Returns

T if a threshold has been crossed, else F.

default_check_threshold
Type

function (tracker: TrackCount) : bool

This will use the default_notice_thresholds variable to check a TrackCount variable to see if it has crossed another threshold.

new_track_count
Type

function () : TrackCount