|
|
|
|
/* Copyright (C) 2007-2021 Open Information Security Foundation
|
|
|
|
|
*
|
|
|
|
|
* You can copy, redistribute or modify this Program under the terms of
|
|
|
|
|
* the GNU General Public License version 2 as published by the Free
|
|
|
|
|
* Software Foundation.
|
|
|
|
|
*
|
|
|
|
|
* This program is distributed in the hope that it will be useful,
|
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
* GNU General Public License for more details.
|
|
|
|
|
*
|
|
|
|
|
* You should have received a copy of the GNU General Public License
|
|
|
|
|
* version 2 along with this program; if not, write to the Free Software
|
|
|
|
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
|
|
|
|
|
* 02110-1301, USA.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \file
|
|
|
|
|
*
|
|
|
|
|
* \author Breno Silva <breno.silva@gmail.com>
|
|
|
|
|
* \author Victor Julien <victor@inliniac.net>
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#ifndef __DETECT_ENGINE_THRESHOLD_H__
|
|
|
|
|
#define __DETECT_ENGINE_THRESHOLD_H__
|
|
|
|
|
|
|
|
|
|
#include "detect.h"
|
|
|
|
|
#include "host.h"
|
|
|
|
|
#include "ippair.h"
|
|
|
|
|
#include "host-storage.h"
|
|
|
|
|
|
|
|
|
|
void ThresholdInit(void);
|
|
|
|
|
|
|
|
|
|
HostStorageId ThresholdHostStorageId(void);
|
|
|
|
|
int ThresholdHostHasThreshold(Host *);
|
|
|
|
|
|
|
|
|
|
int ThresholdIPPairHasThreshold(IPPair *pair);
|
|
|
|
|
|
|
|
|
|
const DetectThresholdData *SigGetThresholdTypeIter(
|
|
|
|
|
const Signature *, const SigMatchData **, int list);
|
|
|
|
|
int PacketAlertThreshold(DetectEngineCtx *, DetectEngineThreadCtx *,
|
|
|
|
|
const DetectThresholdData *, Packet *,
|
|
|
|
|
const Signature *, PacketAlert *);
|
|
|
|
|
|
|
|
|
|
void ThresholdHashInit(DetectEngineCtx *);
|
thresholds: Fix buffer overflow in threshold context
th_entry is resized using ThresholdHashRealloc() every time a rule with
a threshold using by_rule tracking is added. The problem is that this is
done before the rules are reordered, so occasionally a rule with by_rule
tracking gets a higher signature number (after reordering) than the
number of th_entries allocated, causing Suricata to crash.
This commit fixes this by allocating th_entries after all the rules are
loaded and reordered.
Backtrace from core dump:
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x000000000051b381 in ThresholdHandlePacket (p=p@entry=0x7fb0080f3960, lookup_tsh=0x51, new_tsh=new_tsh@entry=0x7fb016c316e0, td=td@entry=0x14adedf0, sid=9800979, gid=1, pa=0x7fb0080f3b18)
at detect-engine-threshold.c:415
415>---- if (TIMEVAL_DIFF_SEC(p->ts, lookup_tsh->tv1) < td->seconds) {
Bug #4503.
4 years ago
|
|
|
void ThresholdHashAllocate(DetectEngineCtx *);
|
|
|
|
|
void ThresholdContextDestroy(DetectEngineCtx *);
|
|
|
|
|
|
|
|
|
|
int ThresholdHostTimeoutCheck(Host *, struct timeval *);
|
|
|
|
|
int ThresholdIPPairTimeoutCheck(IPPair *, struct timeval *);
|
|
|
|
|
void ThresholdListFree(void *ptr);
|
|
|
|
|
|
|
|
|
|
#endif /* __DETECT_ENGINE_THRESHOLD_H__ */
|
