Actual Durations Far Exceed Thresholds

[fullmetalcache]

Current Behavior

In looking at the notice.log file, I observed that the time shown in "...remained alive for longer than ..." seemed to far exceed the duration thresholds that I was setting. In some cases, the actual duration was almost double the threshold.

My theory is that there is a quirk with the polling times that causes the initial duration to be exceeded. After that, subsequent duration values are exceeded because the next polling time is set to the next duration in the list. This means if I set duration thresholds of 1min, 2min, 3min, then the following will be the actual alerting times:

alert1_time > 1min
alert2_time > alert1_time + 2min
alert3_time > alert2_time + 3min

So in this example, alert3_time won't occur until at least 5 minutes later for a given connection rather than occurring after 3 minutes. If you have duration thresholds in the hours or days, you can see where this might cause some issues.

Desired Behavior

The actual duration of the connections should be close to the thresholds that are set.

I have a simple, suggested fix that seems to address this issue. A quick eyeballing of "top" output shows it doesn't appear to increase system demand from zeek. I will issue a poll request in just a moment.