You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+5-5Lines changed: 5 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -4,11 +4,11 @@ This package provides limiting mechanisms for Zeek's intelligence framework. Thi
4
4
5
5
## Installation
6
6
7
-
The scripts are available as package for the [Bro/Zeek Package Manager](https://github.com/zeek/package-manager) and can be installed using the following command: `bro-pkg install intel-limiter`
7
+
The scripts are available as package for the [Zeek Package Manager](https://github.com/zeek/package-manager) and can be installed using the following command: `zkg install intel-limiter`
8
8
9
9
## General Usage
10
10
11
-
To enable per item thresholds and heavy hitter suppression make sure the package is loaded: `bro-pkg load intel-limiter`
11
+
To enable per item thresholds and heavy hitter suppression make sure the package is loaded: `zkg load intel-limiter`
12
12
13
13
### Matching Thresholds
14
14
@@ -20,22 +20,22 @@ With the package loaded, intel items might specify a new meta data field `meta.m
20
20
```
21
21
Once a match is triggered, the internal match counter will be reset and the next match is triggered after the threshold is reached again. The threshold counters are managed per item. If two items that are obtained from different sources share the *same* indicator, thresholds do not interfere. For example, if thresholds of two and four are specified for a single indicator, every fourth time the indicator is seen a hit containing all meta data will be generated, while every second reporting will cause a match containing only the meta data of the item that defines the threshold of two.
22
22
23
-
**Note:**As Bro 2.6does not pass modified hook parameters along the chain, hits will be reported in the correct frequency but contain the meta data of all items.
23
+
**Note:**Since version 2.6, Zeek does not pass modified hook parameters along the chain. Thus, hits will be reported in the correct frequency but contain the meta data of all items.
24
24
25
25
### Heavy Hitter Suppression
26
26
27
27
To enable heavy hitter suppression, a heavy hitter interval and threshold have to be specified. The option `heavy_hitter_interval` defines the time window in which at most `heavy_hitter_threshold` hits might occur. If more hits are observed in that time window, the indicator is removed. By default the threshold is set to zero which disables suppression. When removing an heavy hitter, a reporter warning is generated to inform the user about the removal.
28
28
29
29
## Background
30
30
31
-
The script `item-threshold.bro` implements per item thresholds and is loaded by default. Per item thresholds are realized using two additional meta data fields:
31
+
The script `item-threshold.zeek` implements per item thresholds and is loaded by default. Per item thresholds are realized using two additional meta data fields:
32
32
*`matching_threshold` defines the number of reports required to trigger a match
33
33
*`recent_matches` implements a counter for recent matches
34
34
35
35
To prevent matching of an item before the specified threshold is reached, the script handles the `extend_match` hook of the intelligence framework and checks the number of recent hits.
36
36
For further details on the intel framework see the corresponding [blog post](https://blog.zeek.org/2016/12/the-intelligence-framework-update.html).
37
37
38
-
The script `heaver-hitter.bro` implements heavy hitter suppression simply by tracking hits per indicator in a table. Note that item removal and reporting a warning is a very simple strategy. In more complex environments one would want to report heavy hitters using a dedicated feedback channel, e.g. implemented with broker.
38
+
The script `heaver-hitter.zeek` implements heavy hitter suppression simply by tracking hits per indicator in a table. Note that item removal and reporting a warning is a very simple strategy. In more complex environments one would want to report heavy hitters using a dedicated feedback channel, e.g. implemented with broker.
0 commit comments