thresholds.zeek¶

ConnThreshold¶

Implements a generic API to throw events when a connection crosses a fixed threshold of bytes or packets.

Namespace: ConnThreshold

Summary¶

Types¶

ConnThreshold::Thresholds: record

Redefinitions¶

connection: record

New Fields

connection

thresholds: ConnThreshold::Thresholds &optional

Events¶

`ConnThreshold::bytes_threshold_crossed`: `event`	Generated for a connection that crossed a set byte threshold
`ConnThreshold::duration_threshold_crossed`: `event`	Generated for a connection that crossed a set duration threshold.
`ConnThreshold::packets_threshold_crossed`: `event`	Generated for a connection that crossed a set byte threshold

Functions¶

`ConnThreshold::delete_bytes_threshold`: `function`	Deletes a byte threshold for connection sizes.
`ConnThreshold::delete_duration_threshold`: `function`	Deletes a duration threshold for a connection.
`ConnThreshold::delete_packets_threshold`: `function`	Deletes a packet threshold for connection sizes.
`ConnThreshold::set_bytes_threshold`: `function`	Sets a byte threshold for connection sizes, adding it to potentially already existing thresholds.
`ConnThreshold::set_duration_threshold`: `function`	Sets a duration threshold for a connection, adding it to potentially already existing thresholds.
`ConnThreshold::set_packets_threshold`: `function`	Sets a packet threshold for connection sizes, adding it to potentially already existing thresholds.

Detailed Interface¶

Types¶

ConnThreshold::Thresholds¶

Type

record

orig_byte: set [count] &default = { } &optional: current originator byte thresholds we watch for
resp_byte: set [count] &default = { } &optional: current responder byte thresholds we watch for
orig_packet: set [count] &default = { } &optional: current originator packet thresholds we watch for
resp_packet: set [count] &default = { } &optional: current responder packet thresholds we watch for
duration: set [interval] &default = { } &optional: current duration thresholds we watch for

Events¶

ConnThreshold::bytes_threshold_crossed¶

Type: event (c: connection, threshold: count, is_orig: bool)

Generated for a connection that crossed a set byte threshold

C: the connection
Threshold: the threshold that was set
Is_orig: True if the threshold was crossed by the originator of the connection

ConnThreshold::duration_threshold_crossed¶

Type: event (c: connection, threshold: interval, is_orig: bool)

Generated for a connection that crossed a set duration threshold. Note that this event is not raised at the exact moment that a duration threshold is crossed; instead it is raised when the next packet is seen after the threshold has been crossed. On a connection that is idle, this can be raised significantly later.

C: the connection
Threshold: the threshold that was set
Is_orig: True if the threshold was crossed by the originator of the connection

ConnThreshold::packets_threshold_crossed¶

Type: event (c: connection, threshold: count, is_orig: bool)

Generated for a connection that crossed a set byte threshold

C: the connection
Threshold: the threshold that was set
Is_orig: True if the threshold was crossed by the originator of the connection

Functions¶

ConnThreshold::delete_bytes_threshold¶

Type: function (c: connection, threshold: count, is_orig: bool) : bool

Deletes a byte threshold for connection sizes.

Cid: The connection id.
Threshold: Threshold in bytes to remove.
Is_orig: If true, threshold is removed for packets from originator, otherwhise for packets from responder.
Returns: T on success, F on failure.

ConnThreshold::delete_duration_threshold¶

Type: function (c: connection, threshold: interval) : bool

Deletes a duration threshold for a connection.

Cid: The connection id.
Threshold: Threshold in packets.
Returns: T on success, F on failure.

ConnThreshold::delete_packets_threshold¶

Type: function (c: connection, threshold: count, is_orig: bool) : bool

Deletes a packet threshold for connection sizes.

Cid: The connection id.
Threshold: Threshold in packets.
Is_orig: If true, threshold is removed for packets from originator, otherwise for packets from responder.
Returns: T on success, F on failure.

ConnThreshold::set_bytes_threshold¶

Type: function (c: connection, threshold: count, is_orig: bool) : bool

Sets a byte threshold for connection sizes, adding it to potentially already existing thresholds. conn_bytes_threshold_crossed will be raised for each set threshold.

Cid: The connection id.
Threshold: Threshold in bytes.
Is_orig: If true, threshold is set for bytes from originator, otherwise for bytes from responder.
Returns: T on success, F on failure.

ConnThreshold::set_duration_threshold¶

Type: function (c: connection, threshold: interval) : bool

Sets a duration threshold for a connection, adding it to potentially already existing thresholds. conn_duration_threshold_crossed will be raised for each set threshold.

Cid: The connection id.
Threshold: Threshold in seconds.
Returns: T on success, F on failure.

ConnThreshold::set_packets_threshold¶

Type: function (c: connection, threshold: count, is_orig: bool) : bool

Sets a packet threshold for connection sizes, adding it to potentially already existing thresholds. conn_packets_threshold_crossed will be raised for each set threshold.

Cid: The connection id.
Threshold: Threshold in packets.
Is_orig: If true, threshold is set for packets from originator, otherwise for packets from responder.
Returns: T on success, F on failure.