diff --git a/doc/userguide/rules/thresholding.rst b/doc/userguide/rules/thresholding.rst index e3e5830f7f..44a8aa5e92 100644 --- a/doc/userguide/rules/thresholding.rst +++ b/doc/userguide/rules/thresholding.rst @@ -118,7 +118,7 @@ again. Syntax:: - detection_filter: track , count , seconds + detection_filter: track , count , seconds Example:: diff --git a/src/detect-detection-filter.c b/src/detect-detection-filter.c index cbd1898a31..47ce008298 100644 --- a/src/detect-detection-filter.c +++ b/src/detect-detection-filter.c @@ -47,8 +47,9 @@ *\brief Regex for parsing our detection_filter options */ #define PARSE_REGEX \ - "^\\s*(track|count|seconds)\\s+(by_src|by_dst|\\d+)\\s*,\\s*(track|count|seconds)\\s+(by_src|" \ - "by_dst|\\d+)\\s*,\\s*(track|count|seconds)\\s+(by_src|by_dst|\\d+)\\s*$" + "^\\s*(track|count|seconds)\\s+(by_src|by_dst|by_flow|\\d+)\\s*,\\s*(track|count|seconds)\\s+" \ + "(by_src|" \ + "by_dst|by_flow|\\d+)\\s*,\\s*(track|count|seconds)\\s+(by_src|by_dst|by_flow|\\d+)\\s*$" static DetectParseRegex parse_regex; @@ -158,6 +159,8 @@ static DetectThresholdData *DetectDetectionFilterParse(const char *rawstr) df->track = TRACK_DST; if (strncasecmp(args[i], "by_src", strlen("by_src")) == 0) df->track = TRACK_SRC; + if (strncasecmp(args[i], "by_flow", strlen("by_flow")) == 0) + df->track = TRACK_FLOW; if (strncasecmp(args[i], "count", strlen("count")) == 0) count_pos = i + 1; if (strncasecmp(args[i], "seconds", strlen("seconds")) == 0)