我建议您为此使用错误的事件. file_timeout仅在发生文件传输然后停止但未完成的情况下发生.一个更有趣的事件关联是:

I would suggest that you're using the wrong event for this. The file_timeout only occurs if a file transfer was occurring and then stopped without completing. A much more interesting event correlation would be:

1. 跟踪DNS地址查找响应(我可能会使用event dns_A_reply(c: connection, msg: dns_msg, ans: dns_answer, a: addr)).
2. 记录一组返回的地址；这将提供 您将获得一组通过DNS查询发现的所有地址.
3. 检查出站请求(其中SYN上的orig_h是内部的 地址)
4. 检查id$resp_h中的地址是否在的集合中 解决步骤2.如果是，则返回，如果不是，则返回 产生通知，因为您尝试进行出站连接 没有相应的DNS查找.

1. Track DNS address lookup responses (I would likely use event dns_A_reply(c: connection, msg: dns_msg, ans: dns_answer, a: addr)).
2. Record the addresses returned in a set; this will provide you a set of all addresses that were discovered through a DNS query.
3. Examine outbound requests (where orig_h on the SYN is an internal address)
4. Check to see if the address in id$resp_h is in the set of addresses step 2. If it is, return, if it isn't, generate a notice since you have an outbound connection attempt with no corresponding DNS lookup.