thresholds.zeek

ConnThreshold

Implements a generic API to throw events when a connection crosses a fixed threshold of bytes or packets.

Namespace: ConnThreshold

Summary

Types

ConnThreshold::Thresholds: record

Redefinitions

connection: record

New Fields

connection

thresholds: ConnThreshold::Thresholds &optional

Events

`ConnThreshold::bytes_threshold_crossed`: `event`	Generated for a connection that crossed a set byte threshold
`ConnThreshold::duration_threshold_crossed`: `event`	Generated for a connection that crossed a set duration threshold.
`ConnThreshold::packets_threshold_crossed`: `event`	Generated for a connection that crossed a set byte threshold

Functions

`ConnThreshold::delete_bytes_threshold`: `function`	Deletes a byte threshold for connection sizes.
`ConnThreshold::delete_duration_threshold`: `function`	Deletes a duration threshold for a connection.
`ConnThreshold::delete_packets_threshold`: `function`	Deletes a packet threshold for connection sizes.
`ConnThreshold::set_bytes_threshold`: `function`	Sets a byte threshold for connection sizes, adding it to potentially already existing thresholds.
`ConnThreshold::set_duration_threshold`: `function`	Sets a duration threshold for a connection, adding it to potentially already existing thresholds.
`ConnThreshold::set_packets_threshold`: `function`	Sets a packet threshold for connection sizes, adding it to potentially already existing thresholds.

Detailed Interface

Types

ConnThreshold::Thresholds 

Type

record

orig_byte: set [count] &default = { } &optional: current originator byte thresholds we watch for
resp_byte: set [count] &default = { } &optional: current responder byte thresholds we watch for
orig_packet: set [count] &default = { } &optional: current originator packet thresholds we watch for
resp_packet: set [count] &default = { } &optional: current responder packet thresholds we watch for
duration: set [interval] &default = { } &optional: current duration thresholds we watch for

Events

ConnThreshold::bytes_threshold_crossed 

Type: event (c: connection, threshold: count, is_orig: bool)

Generated for a connection that crossed a set byte threshold

Parameters

c – the connection
threshold – the threshold that was set
is_orig – True if the threshold was crossed by the originator of the connection

ConnThreshold::duration_threshold_crossed 

Type: event (c: connection, threshold: interval, is_orig: bool)

Generated for a connection that crossed a set duration threshold. Note that this event is not raised at the exact moment that a duration threshold is crossed; instead it is raised when the next packet is seen after the threshold has been crossed. On a connection that is idle, this can be raised significantly later.

Parameters

c – the connection
threshold – the threshold that was set
is_orig – True if the threshold was crossed by the originator of the connection

ConnThreshold::packets_threshold_crossed 

Type: event (c: connection, threshold: count, is_orig: bool)

Generated for a connection that crossed a set byte threshold

Parameters

c – the connection
threshold – the threshold that was set
is_orig – True if the threshold was crossed by the originator of the connection

Functions

ConnThreshold::delete_bytes_threshold 

Type: function (c: connection, threshold: count, is_orig: bool) : bool

Deletes a byte threshold for connection sizes.

Parameters

cid – The connection id.
threshold – Threshold in bytes to remove.
is_orig – If true, threshold is removed for packets from originator, otherwise for packets from responder.

Returns

T on success, F on failure.

ConnThreshold::delete_duration_threshold 

Type: function (c: connection, threshold: interval) : bool

Deletes a duration threshold for a connection.

Parameters

cid – The connection id.
threshold – Threshold in packets.

Returns

T on success, F on failure.

ConnThreshold::delete_packets_threshold 

Type: function (c: connection, threshold: count, is_orig: bool) : bool

Deletes a packet threshold for connection sizes.

Parameters

cid – The connection id.
threshold – Threshold in packets.
is_orig – If true, threshold is removed for packets from originator, otherwise for packets from responder.

Returns

T on success, F on failure.

ConnThreshold::set_bytes_threshold 

Type: function (c: connection, threshold: count, is_orig: bool) : bool

Sets a byte threshold for connection sizes, adding it to potentially already existing thresholds. conn_bytes_threshold_crossed will be raised for each set threshold.

Parameters

cid – The connection id.
threshold – Threshold in bytes.
is_orig – If true, threshold is set for bytes from originator, otherwise for bytes from responder.

Returns

T on success, F on failure.

ConnThreshold::set_duration_threshold 

Type: function (c: connection, threshold: interval) : bool

Sets a duration threshold for a connection, adding it to potentially already existing thresholds. conn_duration_threshold_crossed will be raised for each set threshold.

Parameters

cid – The connection id.
threshold – Threshold in seconds.

Returns

T on success, F on failure.

ConnThreshold::set_packets_threshold 

Type: function (c: connection, threshold: count, is_orig: bool) : bool

Sets a packet threshold for connection sizes, adding it to potentially already existing thresholds. conn_packets_threshold_crossed will be raised for each set threshold.

Parameters

cid – The connection id.
threshold – Threshold in packets.
is_orig – If true, threshold is set for packets from originator, otherwise for packets from responder.

Returns

T on success, F on failure.