thresholds.zeek¶

ConnThreshold¶

Implements a generic API to throw events when a connection crosses a fixed threshold of bytes or packets.

Namespace:	ConnThreshold

Summary¶

Types¶

ConnThreshold::Thresholds: record

Redefinitions¶

connection: record

Events¶

`ConnThreshold::bytes_threshold_crossed`: `event`	Generated for a connection that crossed a set byte threshold
`ConnThreshold::duration_threshold_crossed`: `event`	Generated for a connection that crossed a set duration threshold.
`ConnThreshold::packets_threshold_crossed`: `event`	Generated for a connection that crossed a set byte threshold

Functions¶

`ConnThreshold::delete_bytes_threshold`: `function`	Deletes a byte threshold for connection sizes.
`ConnThreshold::delete_duration_threshold`: `function`	Deletes a duration threshold for a connection.
`ConnThreshold::delete_packets_threshold`: `function`	Deletes a packet threshold for connection sizes.
`ConnThreshold::set_bytes_threshold`: `function`	Sets a byte threshold for connection sizes, adding it to potentially already existing thresholds.
`ConnThreshold::set_duration_threshold`: `function`	Sets a duration threshold for a connection, adding it to potentially already existing thresholds.
`ConnThreshold::set_packets_threshold`: `function`	Sets a packet threshold for connection sizes, adding it to potentially already existing thresholds.

Detailed Interface¶

Types¶

ConnThreshold::Thresholds¶

Type:

record

orig_byte: set [count] &default = { } &optional: current originator byte thresholds we watch for
resp_byte: set [count] &default = { } &optional: current responder byte thresholds we watch for
orig_packet: set [count] &default = { } &optional: current originator packet thresholds we watch for
resp_packet: set [count] &default = { } &optional: current responder packet thresholds we watch for
duration: set [interval] &default = { } &optional: current duration thresholds we watch for

Events¶

ConnThreshold::bytes_threshold_crossed¶

Type:	`event` (c: `connection`, threshold: `count`, is_orig: `bool`)

Generated for a connection that crossed a set byte threshold

C:	the connection
Threshold:	the threshold that was set
Is_orig:	True if the threshold was crossed by the originator of the connection

ConnThreshold::duration_threshold_crossed¶

Type:	`event` (c: `connection`, threshold: `interval`, is_orig: `bool`)

Generated for a connection that crossed a set duration threshold. Note that this event is not raised at the exact moment that a duration threshold is crossed; instead it is raised when the next packet is seen after the threshold has been crossed. On a connection that is idle, this can be raised significantly later.

C:	the connection
Threshold:	the threshold that was set
Is_orig:	True if the threshold was crossed by the originator of the connection

ConnThreshold::packets_threshold_crossed¶

Type:	`event` (c: `connection`, threshold: `count`, is_orig: `bool`)

Generated for a connection that crossed a set byte threshold

C:	the connection
Threshold:	the threshold that was set
Is_orig:	True if the threshold was crossed by the originator of the connection

Functions¶

ConnThreshold::delete_bytes_threshold¶

Type:	`function` (c: `connection`, threshold: `count`, is_orig: `bool`) : `bool`

Deletes a byte threshold for connection sizes.

Cid:	The connection id.
Threshold:	Threshold in bytes to remove.
Is_orig:	If true, threshold is removed for packets from originator, otherwhise for packets from responder.
Returns:	T on success, F on failure.

ConnThreshold::delete_duration_threshold¶

Type:	`function` (c: `connection`, threshold: `interval`) : `bool`

Deletes a duration threshold for a connection.

Cid:	The connection id.
Threshold:	Threshold in packets.
Returns:	T on success, F on failure.

ConnThreshold::delete_packets_threshold¶

Type:	`function` (c: `connection`, threshold: `count`, is_orig: `bool`) : `bool`

Deletes a packet threshold for connection sizes.

Cid:	The connection id.
Threshold:	Threshold in packets.
Is_orig:	If true, threshold is removed for packets from originator, otherwise for packets from responder.
Returns:	T on success, F on failure.

ConnThreshold::set_bytes_threshold¶

Type:	`function` (c: `connection`, threshold: `count`, is_orig: `bool`) : `bool`

Sets a byte threshold for connection sizes, adding it to potentially already existing thresholds. conn_bytes_threshold_crossed will be raised for each set threshold.

Cid:	The connection id.
Threshold:	Threshold in bytes.
Is_orig:	If true, threshold is set for bytes from originator, otherwise for bytes from responder.
Returns:	T on success, F on failure.

ConnThreshold::set_duration_threshold¶

Type:	`function` (c: `connection`, threshold: `interval`) : `bool`

Sets a duration threshold for a connection, adding it to potentially already existing thresholds. conn_duration_threshold_crossed will be raised for each set threshold.

Cid:	The connection id.
Threshold:	Threshold in seconds.
Returns:	T on success, F on failure.

ConnThreshold::set_packets_threshold¶

Type:	`function` (c: `connection`, threshold: `count`, is_orig: `bool`) : `bool`

Sets a packet threshold for connection sizes, adding it to potentially already existing thresholds. conn_packets_threshold_crossed will be raised for each set threshold.

Cid:	The connection id.
Threshold:	Threshold in packets.
Is_orig:	If true, threshold is set for packets from originator, otherwise for packets from responder.
Returns:	T on success, F on failure.