[Bro-Dev] $history extensions - zero windows, logarithmic counts
Vern Paxson
vern at corelight.com
Fri Jun 15 11:24:08 PDT 2018
> I really like those ideas, especially the logarithmic count.
Cool :-).
> How much would it cost to have an event fired when those thresholds are crossed?
Nice thought. I think it would be too expensive if done for the first
instance, but for each of the backed-off instances it ought to be rare
enough that it's not a problem. So maybe something like:
## Generated each time a reporting threshold (10, 100, 1000, ...)
## is crossed, starting with 10.
event multiple_tcp_zero_windows(c: connection, is_orig: bool,
threshold: count);
event multiple_tcp_checksum_errors(c: connection, is_orig: bool,
threshold: count);
event multiple_tcp_retransmissions(c: connection, is_orig: bool,
threshold: count);
?
Vern
More information about the bro-dev
mailing list