# to run: bro -r tracefile ex2h.bro weird alarm

@load mysite
@load notice

# define new Notice
redef enum Notice += {
        ScannerFound,
};

# only alarm if more than alarm_thresh connections
const alarm_thresh = 10 &redef;

global conn_count = 0;

# table to keep track of successful connections from each new remote host
global conn_per_orig: table[addr] of count &default=0;

# table to keep track of connection attempts from each new remote host
global conn_attempt_per_orig: table[addr] of count &default=0;

# table to keep track of which hosts notices have been generated for already
#    - expire entry every minute to get 1 notice per minute
global scanners: table[addr] of count &default=0 &create_expire = 1 min;


function print_results()
{
    local success_ratio = 0.0;

    print fmt("\n Total number of connections: %d \n", conn_count);
    for ( orig in conn_attempt_per_orig )
    {
        # value * 1.0 will convert type count to double
        success_ratio = conn_per_orig[orig] * 1.0 / conn_attempt_per_orig[orig] * 1.0;

        print fmt("Connections from host %s: %d out of %d attempts: ratio = %.4f",
                orig, conn_per_orig[orig], conn_attempt_per_orig[orig], success_ratio);
    }
}


event print_event()
{
    print_results();
    # reschedule in another 2 minutes
    schedule 2 min { print_event() };
}

event bro_init()
{
     schedule 2 min { print_event() };
}


event connection_established(c: connection)
{
       local id = c$id;
       local log_msg =
                fmt("%.6f %.6f %s %s %d %d %d %d ",
                        c$start_time, c$duration, id$orig_h, id$resp_h, 
                        id$orig_p, id$resp_p, c$orig$size, c$resp$size);
        print log_msg;

        ++conn_count;
        if (! is_local_addr(id$orig_h) )  # only count remote hosts
             ++conn_per_orig[id$orig_h];

}


event new_connection(c: connection)
{
    local orig = c$id$orig_h;
    local success_ratio = 0.0;

    if (! is_local_addr(orig) )  # only count remote hosts
    {
        ++conn_attempt_per_orig[orig];

        success_ratio = conn_per_orig[orig] * 1.0 / conn_attempt_per_orig[orig] * 1.0;
        if (success_ratio < .2 && conn_attempt_per_orig[orig] > alarm_thresh 
                && orig !in scanners)
        {       
                NOTICE([$note=ScannerFound,  $conn=c, $src=orig,
                    $msg=fmt("%d out of %d connections from host %s failed ", 
                        conn_attempt_per_orig[orig] - conn_per_orig[orig], 
                        conn_attempt_per_orig[orig], orig ) ]);

                scanners[orig] = 1;
        }
    }
}    


event bro_done()
{       
        print_results();
}