Add unknown_protocols.log for logging unsupported packet protocols #1254
Conversation
| @@ -113,11 +132,21 @@ class Manager : public plugin::ComponentManager<Tag, Component> { | |||
| */ | |||
| AnalyzerPtr InstantiateAnalyzer(const std::string& name); | |||
|
|
|||
| bool PermitUnknownProtocol(const std::string& analyzer, uint32_t protocol); | |||
There was a problem hiding this comment.
I would rather call that IsUnknownProtocolPermitted but I see that this aligns to the naming for Weird.
timwoj
force-pushed
the
topic/timw/1221-unknown-protocols
branch
4 times, most recently
from
cb7aa69
to
8c8ae7a
Compare
|
|
||
| ## How many reports for an analyzer/protocol pair will be allowed to | ||
| ## raise events for logging being rate-limited. | ||
| option sampling_threshold : count = 25 &redef; |
There was a problem hiding this comment.
Think it may be be fine to have a much lower threshold by default. Maybe like 1-3 really seems enough.
There was a problem hiding this comment.
Yah the values of these was really up for review here. I picked the defaults used for weirds, but I agree that it can still be a ton of output.
| ## rate-limited pairs of a given type will be allowed to raise events | ||
| ## for further script-layer handling. Setting the sampling rate to 0 | ||
| ## will disable all output of rate-limited pairs. | ||
| option sampling_rate : count = 1000 &redef; |
There was a problem hiding this comment.
Again, thinking we may want pretty generous defaults since this stuff is all possibly checking per-packet. Maybe 100k ?
| ## How long an analyzer/protocol pair is allowed to keep state/counters in | ||
| ## in memory. Once the threshold has been hit, this is the amount of time | ||
| ## before the rate-limiting for a pair expires and is reset. | ||
| option sampling_duration = 10min &redef; |
There was a problem hiding this comment.
Maybe in the realm of hour(s) instead ?
|
Fixed the few comments and updated the external testing baseline. |
timwoj
force-pushed
the
topic/timw/1221-unknown-protocols
branch
from
2a9e1b8
to
f3424e1
Compare
timwoj
force-pushed
the
topic/timw/1221-unknown-protocols
branch
from
f3424e1
to
b8abdb6
Compare
timwoj
force-pushed
the
topic/timw/1221-unknown-protocols
branch
from
b8abdb6
to
e7c2621
Compare
timwoj
force-pushed
the
topic/timw/1221-unknown-protocols
branch
from
e7c2621
to
c3cf36e
Compare
This code is modeled after how we log weirds, and how rate-limiting happens for them. It's currently using the same values for the rate limiting, but I'm open to suggestions for adjustments to those. Also, I really don't like the
first_bytesvariable name but I was struggling to come up with anything better.Fixes #1221
The external testing repos need merging from branches with the same name.