[Bro] Notice only every four hours
Matthias Vallentin
vallentin at icir.org
Thu Nov 11 14:53:32 PST 2010
> Is there any way to only send the notice every four hours?
Assuming you want to report a single entry every 4 hours, a common idiom
is to maintain a separate set that tracks the entries already reported:
global blah_reported: set[addr,string] &create_expire = 4 hrs;
And in your event handler:
if ([a,b] !in blah_reported)
{
NOTICE(...);
add blah_reported[a,b];
}
If you want to instead elicit a list of Notice every 4 hours, you would
need to implement some notice buffering. (Depending on your analysis,
this could be quite memory-intensive and thus requires care.) In this
setting, you could let a dummy variable expire and flush the buffer with
notices in the expiration function - scan.bro uses a similar technique.
Matthias
More information about the Bro
mailing list