> I really like those ideas, especially the logarithmic count. Cool :-).
> How much would it cost to have an event fired when those thresholds are > crossed? Nice thought. I think it would be too expensive if done for the first instance, but for each of the backed-off instances it ought to be rare enough that it's not a problem. So maybe something like: ## Generated each time a reporting threshold (10, 100, 1000, ...) ## is crossed, starting with 10. event multiple_tcp_zero_windows(c: connection, is_orig: bool, threshold: count); event multiple_tcp_checksum_errors(c: connection, is_orig: bool, threshold: count); event multiple_tcp_retransmissions(c: connection, is_orig: bool, threshold: count); ? Vern _______________________________________________ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev