So I am trying to convert tables into using opaque of cardinality since thats more memory efficient (or counting bloomfilters for that matter):
works: if table (0) converted to (1)
errors: if table (2) converted to (3)
Details: I am trying the following, original table (0) converted to (1):
(0) global likely_scanner: table[addr,port] of set[addr] &read_expire=1 day &synchronized ;
(1) global c_likely_scanner: table[addr] of opaque of cardinality
&default = function(n: any): opaque of cardinality { return hll_cardinality_init(0.1, 0.95); }
&read_expire=1 day ;
ERRORS:
(2) global likely_scanner: table[addr,port] of set[addr] &read_expire=1 day &synchronized ;
Converted table:
(3) global c_likely_scanner: table[addr,port] of opaque of cardinality
&default = function(n: any): opaque of cardinality { return hll_cardinality_init(0.1, 0.95); }
&read_expire=1 day ;
I get this error:
check-knock.bro, line 58: &default function type clash (&default=anonymous-function{ return (hll_cardinality_init(0.1, 0.95))})
Question:
how do I declare (3) so that I can avoid the "&default function type clash" error above.
I am not sure what am I doing wrong in the declaration. Any thoughts/advice how to get past this issue ?
how do I declare (3) so that I can avoid the "&default function type clash" error above.
I guess the function for initialization receives the index that should
be initialized. In this case the index consists of two values. I tried
the following and Bro did not complain:
global c_likely_scanner: table[addr,port] of opaque of cardinality
&default = function(a: addr, p: port): opaque of cardinality {
return hll_cardinality_init(0.1, 0.95); }
&read_expire=1 day;
I guess the function for initialization receives the index that should
be initialized.
Thank you. This works!
For future reference:
I also needed to convert the following table to use opaque of cardinality for this table grows reasonably big:
global distinct_backscatter_peers: table[addr] of table[port] of set[addr] &read_expire=1 day;
Here is how I did this one:
type bs: table[port] of opaque of cardinality &default=function(p:port): opaque of cardinality {return hll_cardinality_init(0.1, 0.95); };
global c_distinct_backscatter_peers: table[addr] of bs &read_expire=1 day ;
and to access:
if ( orig !in c_distinct_backscatter_peers)
c_distinct_backscatter_peers[orig] = table() ;
if (s_port !in c_distinct_backscatter_peers[orig])
{
local cp: opaque of cardinality = hll_cardinality_init(0.1, 0.95);
c_distinct_backscatter_peers[orig][s_port]=cp ;
}