Skip to main content


ec_ip_connections_cluster — Audit how many connections an IP address has made cluster-wide


ec_ip_connections_cluster { time_series_index } [ mask ] ec_ip_connections_cluster { $hash }


ec_ip_connections_cluster returns a string containing the number of connections that have occurred for a CIDR block within a configured time window. The referenced CIDR block is constructed by applying the mask option value to the SMTP connection's remote IP address. There are two forms of this command.

In the first form, the time_series_index value selects a monitor corresponding to its position in the inbound_audit configuration stanza (A time_series_index of '0' corresponds to the first monitor in the inbound_audit configuration stanza). The audit data returned for this monitor is based on a weighted sliding average of the current time window within this monitor and the previous time window, thus smoothing the transition between windows. If mask is not specified, the default value of '32' is used to compute the CIDR block.

In the second form, a hash is used to pass the arguments. These keys are supported:


A string matching a monitor definition within the inbound_audit configuration stanza, for example, "300,6". By default the first monitor listed in the configuration stanza is used.


Starting window number. The default is 0, which is the chronologically current window. For example, if the inbound_audit configuration stanza defines a monitor as "300,6", then the monitor contains six windows numbered 0 (current) through 5 (oldest). Each time window in this example is 300 seconds duration.


Ending window number. It defaults to the value of period_start. If this key is specified, its value is a window number (which should be equal to or greater than period_start). The result will be an aggregate sum over the window range.


This is the mask used to compute CIDR block. The mask defaults to '32'.

**Configuration Change. ** This feature requires the inbound_audit module. See “inbound_audit – Inbound traffic analytics” for more information.


This feature also requires the cluster module. The cluster configuration stanza must specify metrics replication including the parameter connect:

cluster {
  # ... other cluster config ...
  Replicate "inbound_cidr" {}

$connections = ec_ip_connections_cluster "0" "32";
$c_connections = ec_ip_connections_cluster "0" "24";
if ec_test :value "gt" :comparator "i;ascii-numeric" "${connections}" "1000" {
  ec_tarpit 10 "too many connections /32";

if ec_test :value "gt" :comparator "i;ascii-numeric" "${c_connections}" "10000" {
  ec_tarpit 10 "too many connections /24";

$args = hash_create;
hash_set $args "period_start" "0";
hash_set $args "period_end" "2";
hash_set $args "monitor" "300,6";
hash_set $args "mask" "32";
$count = ec_ip_connections_cluster $args;

if ec_test :value "gt" :comparator "i;ascii-numeric" "${count}" "10000" {
  ec_tarpit 10 "too many connections /32 in last fifteen minutes";
Was this page helpful?