> I really like those ideas, especially the logarithmic count.
Cool :-).
> How much would it cost to have an event fired when those thresholds are
> crossed?
Nice thought. I think it would be too expensive if done for the first
instance, but for each of the backed-off instances it ought to be rare
enough that it's not a problem. So maybe something like:
## Generated each time a reporting threshold (10, 100, 1000, ...)
## is crossed, starting with 10.
event multiple_tcp_zero_windows(c: connection, is_orig: bool,
threshold: count);
event multiple_tcp_checksum_errors(c: connection, is_orig: bool,
threshold: count);
event multiple_tcp_retransmissions(c: connection, is_orig: bool,
threshold: count);
?
Vern
_______________________________________________
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
