:tocdepth: 3

base/utils/thresholds.bro
=========================
.. bro:namespace:: GLOBAL

Functions for using multiple thresholds with a counting tracker.  For
example, you may want to generate a notice when something happens 10 times
and again when it happens 100 times but nothing in between.  You can use
the :bro:id:`check_threshold` function to define your threshold points
and the :bro:type:`TrackCount` variable where you are keeping track of your
counter.

:Namespace: GLOBAL
:Source File: :download:`/scripts/base/utils/thresholds.bro`

Summary
~~~~~~~
Options
#######
========================================================================== ==========================================================
:bro:id:`default_notice_thresholds`: :bro:type:`vector` :bro:attr:`&redef` The thresholds you would like to use as defaults with the 
                                                                           :bro:id:`default_check_threshold` function.
========================================================================== ==========================================================

Types
#####
========================================== =
:bro:type:`TrackCount`: :bro:type:`record` 
========================================== =

Functions
#########
======================================================= ====================================================================
:bro:id:`check_threshold`: :bro:type:`function`         This will check if a :bro:type:`TrackCount` variable has crossed any
                                                        thresholds in a given set.
:bro:id:`default_check_threshold`: :bro:type:`function` This will use the :bro:id:`default_notice_thresholds` variable to
                                                        check a :bro:type:`TrackCount` variable to see if it has crossed
                                                        another threshold.
:bro:id:`new_track_count`: :bro:type:`function`         
======================================================= ====================================================================


Detailed Interface
~~~~~~~~~~~~~~~~~~
Options
#######
.. bro:id:: default_notice_thresholds

   :Type: :bro:type:`vector`
   :Attributes: :bro:attr:`&redef`
   :Default:

   ::

      [30, 100, 1000, 10000, 100000, 1000000, 10000000]

   The thresholds you would like to use as defaults with the 
   :bro:id:`default_check_threshold` function.

Types
#####
.. bro:type:: TrackCount

   :Type: :bro:type:`record`

      n: :bro:type:`count` :bro:attr:`&default` = ``0`` :bro:attr:`&optional`
         The counter for the number of times something has happened.

      index: :bro:type:`count` :bro:attr:`&default` = ``0`` :bro:attr:`&optional`
         The index of the vector where the counter currently is.  This
         is used to track which threshold is currently being watched
         for.


Functions
#########
.. bro:id:: check_threshold

   :Type: :bro:type:`function` (v: :bro:type:`vector`, tracker: :bro:type:`TrackCount`) : :bro:type:`bool`

   This will check if a :bro:type:`TrackCount` variable has crossed any
   thresholds in a given set.
   

   :v: a vector holding counts that represent thresholds.
   

   :tracker: the record being used to track event counter and currently
            monitored threshold value.
   

   :returns: T if a threshold has been crossed, else F.

.. bro:id:: default_check_threshold

   :Type: :bro:type:`function` (tracker: :bro:type:`TrackCount`) : :bro:type:`bool`

   This will use the :bro:id:`default_notice_thresholds` variable to
   check a :bro:type:`TrackCount` variable to see if it has crossed
   another threshold.

.. bro:id:: new_track_count

   :Type: :bro:type:`function` () : :bro:type:`TrackCount`



