It would be great if you could create a macro witch gives you the amount of time since the trigger has fired, to detect some kind of unusual behaviour.
As a Webhoster for example, to detect an unusual amount of packets, we created a trigger that measures the average amount of packets for 5 minutes and compare it to the average amout of pakets 30 minutes ago
avg(5m) > (avg(30m,5m) * 3)
to detect an unusual rise in the packet flof (possible DDoS)
What i would want to do is, to keep the trigger on, as long as possible, and not for a maximum of 30 minutes, as than the avg values would become similar again.
what i would want to do is place a macro in the 30m part with adds the value of minutes or seconds to the time-shift to keep track of the "sane" period of time everything was ok.
How does that idea sound?
|