base/bif/plugins/Zeek_ConnSize.events.bif.zeek

GLOBAL
Namespace:

GLOBAL

Summary

Events

conn_bytes_threshold_crossed: event

Generated for a connection that crossed a set byte threshold.

conn_duration_threshold_crossed: event

Generated for a connection that crossed a set duration threshold.

conn_generic_packet_threshold_crossed: event

Generated for any IP-based session once ConnThreshold::generic_packet_thresholds packets have been observed.

conn_packets_threshold_crossed: event

Generated for a connection that crossed a set packet threshold.

Detailed Interface

Events

conn_bytes_threshold_crossed
Type:

event (c: connection, threshold: count, is_orig: bool)

Generated for a connection that crossed a set byte threshold. Note that this is a low level event that should usually be avoided for user code. Use ConnThreshold::bytes_threshold_crossed instead.

Parameters:

  • c – the connection

  • threshold – the threshold that was set

  • is_orig – true if the threshold was crossed by the originator of the connection

See also: set_current_conn_packets_threshold, set_current_conn_bytes_threshold, conn_packets_threshold_crossed, get_current_conn_bytes_threshold, get_current_conn_packets_threshold, conn_duration_threshold_crossed, set_current_conn_duration_threshold, get_current_conn_duration_threshold

conn_duration_threshold_crossed
Type:

event (c: connection, threshold: interval, is_orig: bool)

Generated for a connection that crossed a set duration threshold. Note that this is a low level event that should usually be avoided for user code. Use ConnThreshold::duration_threshold_crossed instead.

Note that this event is not raised at the exact moment that a duration threshold is crossed; instead it is raised when the next packet is seen after the threshold has been crossed. On a connection that is idle, this can be raised significantly later.

Parameters:

  • c – the connection

  • threshold – the threshold that was set

  • is_orig – true if the threshold was crossed by the originator of the connection

See also: set_current_conn_packets_threshold, set_current_conn_bytes_threshold, conn_bytes_threshold_crossed, get_current_conn_bytes_threshold, get_current_conn_packets_threshold, set_current_conn_duration_threshold, get_current_conn_duration_threshold

conn_generic_packet_threshold_crossed
Type:

event (c: connection, threshold: count)

Generated for any IP-based session once ConnThreshold::generic_packet_thresholds packets have been observed. Only one endpoint sending traffic is sufficient to trigger the event. This allows to handle new connections, while short interactions, like scans consisting of only a few packets, are ignored.

Parameters:

  • c – the connection.

  • threshold – the threshold that was set

conn_packets_threshold_crossed
Type:

event (c: connection, threshold: count, is_orig: bool)

Generated for a connection that crossed a set packet threshold. Note that this is a low level event that should usually be avoided for user code. Use ConnThreshold::packets_threshold_crossed instead.

Parameters:

  • c – the connection

  • threshold – the threshold that was set

  • is_orig – true if the threshold was crossed by the originator of the connection

See also: set_current_conn_packets_threshold, set_current_conn_bytes_threshold, conn_bytes_threshold_crossed, get_current_conn_bytes_threshold, get_current_conn_packets_threshold, conn_duration_threshold_crossed, set_current_conn_duration_threshold, get_current_conn_duration_threshold