base/protocols/conn/thresholds.zeek

ConnThreshold

Implements a generic API to throw events when a connection crosses a fixed threshold of bytes or packets.

Namespace

ConnThreshold

Summary

Types

ConnThreshold::Thresholds: record

Redefinitions

connection: record

New Fields

connection

thresholds: ConnThreshold::Thresholds &optional

Events

ConnThreshold::bytes_threshold_crossed: event

Generated for a connection that crossed a set byte threshold

ConnThreshold::duration_threshold_crossed: event

Generated for a connection that crossed a set duration threshold.

ConnThreshold::packets_threshold_crossed: event

Generated for a connection that crossed a set byte threshold

Functions

ConnThreshold::delete_bytes_threshold: function

Deletes a byte threshold for connection sizes.

ConnThreshold::delete_duration_threshold: function

Deletes a duration threshold for a connection.

ConnThreshold::delete_packets_threshold: function

Deletes a packet threshold for connection sizes.

ConnThreshold::set_bytes_threshold: function

Sets a byte threshold for connection sizes, adding it to potentially already existing thresholds.

ConnThreshold::set_duration_threshold: function

Sets a duration threshold for a connection, adding it to potentially already existing thresholds.

ConnThreshold::set_packets_threshold: function

Sets a packet threshold for connection sizes, adding it to potentially already existing thresholds.

Detailed Interface

Types

ConnThreshold::Thresholds
Type

record

orig_byte: set [count] &default = {  } &optional

current originator byte thresholds we watch for

resp_byte: set [count] &default = {  } &optional

current responder byte thresholds we watch for

orig_packet: set [count] &default = {  } &optional

current originator packet thresholds we watch for

resp_packet: set [count] &default = {  } &optional

current responder packet thresholds we watch for

duration: set [interval] &default = {  } &optional

current duration thresholds we watch for

Events

ConnThreshold::bytes_threshold_crossed
Type

event (c: connection, threshold: count, is_orig: bool)

Generated for a connection that crossed a set byte threshold

Parameters
  • c – the connection

  • threshold – the threshold that was set

  • is_orig – True if the threshold was crossed by the originator of the connection

ConnThreshold::duration_threshold_crossed
Type

event (c: connection, threshold: interval, is_orig: bool)

Generated for a connection that crossed a set duration threshold. Note that this event is not raised at the exact moment that a duration threshold is crossed; instead it is raised when the next packet is seen after the threshold has been crossed. On a connection that is idle, this can be raised significantly later.

Parameters
  • c – the connection

  • threshold – the threshold that was set

  • is_orig – True if the threshold was crossed by the originator of the connection

ConnThreshold::packets_threshold_crossed
Type

event (c: connection, threshold: count, is_orig: bool)

Generated for a connection that crossed a set byte threshold

Parameters
  • c – the connection

  • threshold – the threshold that was set

  • is_orig – True if the threshold was crossed by the originator of the connection

Functions

ConnThreshold::delete_bytes_threshold
Type

function (c: connection, threshold: count, is_orig: bool) : bool

Deletes a byte threshold for connection sizes.

Parameters
  • cid – The connection id.

  • threshold – Threshold in bytes to remove.

  • is_orig – If true, threshold is removed for packets from originator, otherwise for packets from responder.

Returns

T on success, F on failure.

ConnThreshold::delete_duration_threshold
Type

function (c: connection, threshold: interval) : bool

Deletes a duration threshold for a connection.

Parameters
  • cid – The connection id.

  • threshold – Threshold in packets.

Returns

T on success, F on failure.

ConnThreshold::delete_packets_threshold
Type

function (c: connection, threshold: count, is_orig: bool) : bool

Deletes a packet threshold for connection sizes.

Parameters
  • cid – The connection id.

  • threshold – Threshold in packets.

  • is_orig – If true, threshold is removed for packets from originator, otherwise for packets from responder.

Returns

T on success, F on failure.

ConnThreshold::set_bytes_threshold
Type

function (c: connection, threshold: count, is_orig: bool) : bool

Sets a byte threshold for connection sizes, adding it to potentially already existing thresholds. conn_bytes_threshold_crossed will be raised for each set threshold.

Parameters
  • cid – The connection id.

  • threshold – Threshold in bytes.

  • is_orig – If true, threshold is set for bytes from originator, otherwise for bytes from responder.

Returns

T on success, F on failure.

ConnThreshold::set_duration_threshold
Type

function (c: connection, threshold: interval) : bool

Sets a duration threshold for a connection, adding it to potentially already existing thresholds. conn_duration_threshold_crossed will be raised for each set threshold.

Parameters
  • cid – The connection id.

  • threshold – Threshold in seconds.

Returns

T on success, F on failure.

ConnThreshold::set_packets_threshold
Type

function (c: connection, threshold: count, is_orig: bool) : bool

Sets a packet threshold for connection sizes, adding it to potentially already existing thresholds. conn_packets_threshold_crossed will be raised for each set threshold.

Parameters
  • cid – The connection id.

  • threshold – Threshold in packets.

  • is_orig – If true, threshold is set for packets from originator, otherwise for packets from responder.

Returns

T on success, F on failure.