From 422b02b1f25de8fe82e2b46b20b51d7a3a8f3ff1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20K=C3=A1cha?= <ph@cesnet.cz>
Date: Thu, 25 Apr 2024 15:11:35 +0200
Subject: [PATCH] LaBrea: mitigate too big events again

---
 hp-labrea/labrea-idea.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/hp-labrea/labrea-idea.py b/hp-labrea/labrea-idea.py
index 93fb9da..71cc70b 100755
--- a/hp-labrea/labrea-idea.py
+++ b/hp-labrea/labrea-idea.py
@@ -35,7 +35,7 @@ class WindowContextMgr(object):
         self.first_update_queue = OrderedDict()
         self.last_update_queue = OrderedDict()
         # Hammer to mitigate too big events
-        self.max_count = 2000
+        self.max_count = 200
         self.max_src_ports = 1024
 
     def expire_queue(self, queue, window):
@@ -154,7 +154,7 @@ class ConnectContextMgr(WindowContextMgr):
         ctx["src_ports"].add(event.src_port)
         ctx["count"] += 1
         ctx["last_update"] = self.update_timestamp
-        return ctx["count"] < self.max_count
+        return len(ctx["tgt_ips_ports"]) < self.max_count
 
     def ctx_close(self, ctx):
         src_ports = ctx["src_ports"] if len(ctx["src_ports"]) <= self.max_src_ports else None
-- 
GitLab