base/protocols/conn/thresholds.zeek
- ConnThreshold
Implements a generic API to throw events when a connection crosses a fixed threshold of bytes or packets.
- Namespace
ConnThreshold
Summary
Types
Redefinitions
|
Events
Generated for a connection that crossed a set byte threshold |
|
Generated for a connection that crossed a set duration threshold. |
|
Generated for a connection that crossed a set byte threshold |
Functions
Deletes a byte threshold for connection sizes. |
|
Deletes a duration threshold for a connection. |
|
Deletes a packet threshold for connection sizes. |
|
Sets a byte threshold for connection sizes, adding it to potentially already existing thresholds. |
|
Sets a duration threshold for a connection, adding it to potentially already existing thresholds. |
|
Sets a packet threshold for connection sizes, adding it to potentially already existing thresholds. |
Detailed Interface
Types
- ConnThreshold::Thresholds
- Type
-
- orig_byte:
set
[count
]&default
={ }
&optional
current originator byte thresholds we watch for
- resp_byte:
set
[count
]&default
={ }
&optional
current responder byte thresholds we watch for
- orig_packet:
set
[count
]&default
={ }
&optional
current originator packet thresholds we watch for
- resp_packet:
set
[count
]&default
={ }
&optional
current responder packet thresholds we watch for
- duration:
set
[interval
]&default
={ }
&optional
current duration thresholds we watch for
- orig_byte:
Events
- ConnThreshold::bytes_threshold_crossed
- Type
event
(c:connection
, threshold:count
, is_orig:bool
)
Generated for a connection that crossed a set byte threshold
- Parameters
c – the connection
threshold – the threshold that was set
is_orig – True if the threshold was crossed by the originator of the connection
- ConnThreshold::duration_threshold_crossed
- Type
event
(c:connection
, threshold:interval
, is_orig:bool
)
Generated for a connection that crossed a set duration threshold. Note that this event is not raised at the exact moment that a duration threshold is crossed; instead it is raised when the next packet is seen after the threshold has been crossed. On a connection that is idle, this can be raised significantly later.
- Parameters
c – the connection
threshold – the threshold that was set
is_orig – True if the threshold was crossed by the originator of the connection
- ConnThreshold::packets_threshold_crossed
- Type
event
(c:connection
, threshold:count
, is_orig:bool
)
Generated for a connection that crossed a set byte threshold
- Parameters
c – the connection
threshold – the threshold that was set
is_orig – True if the threshold was crossed by the originator of the connection
Functions
- ConnThreshold::delete_bytes_threshold
- Type
function
(c:connection
, threshold:count
, is_orig:bool
) :bool
Deletes a byte threshold for connection sizes.
- Parameters
cid – The connection id.
threshold – Threshold in bytes to remove.
is_orig – If true, threshold is removed for packets from originator, otherwise for packets from responder.
- Returns
T on success, F on failure.
- ConnThreshold::delete_duration_threshold
- Type
function
(c:connection
, threshold:interval
) :bool
Deletes a duration threshold for a connection.
- Parameters
cid – The connection id.
threshold – Threshold in packets.
- Returns
T on success, F on failure.
- ConnThreshold::delete_packets_threshold
- Type
function
(c:connection
, threshold:count
, is_orig:bool
) :bool
Deletes a packet threshold for connection sizes.
- Parameters
cid – The connection id.
threshold – Threshold in packets.
is_orig – If true, threshold is removed for packets from originator, otherwise for packets from responder.
- Returns
T on success, F on failure.
- ConnThreshold::set_bytes_threshold
- Type
function
(c:connection
, threshold:count
, is_orig:bool
) :bool
Sets a byte threshold for connection sizes, adding it to potentially already existing thresholds. conn_bytes_threshold_crossed will be raised for each set threshold.
- Parameters
cid – The connection id.
threshold – Threshold in bytes.
is_orig – If true, threshold is set for bytes from originator, otherwise for bytes from responder.
- Returns
T on success, F on failure.
- ConnThreshold::set_duration_threshold
- Type
function
(c:connection
, threshold:interval
) :bool
Sets a duration threshold for a connection, adding it to potentially already existing thresholds. conn_duration_threshold_crossed will be raised for each set threshold.
- Parameters
cid – The connection id.
threshold – Threshold in seconds.
- Returns
T on success, F on failure.
- ConnThreshold::set_packets_threshold
- Type
function
(c:connection
, threshold:count
, is_orig:bool
) :bool
Sets a packet threshold for connection sizes, adding it to potentially already existing thresholds. conn_packets_threshold_crossed will be raised for each set threshold.
- Parameters
cid – The connection id.
threshold – Threshold in packets.
is_orig – If true, threshold is set for packets from originator, otherwise for packets from responder.
- Returns
T on success, F on failure.