aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix thresholding issues.

Browse Source
remotes/origin/master-1.0.x
Victor Julien 15 years ago
parent 79443b1991
commit 4c3e17d4ab
4 changed files with 39 additions and 33 deletions
Show Stats Download Patch File Download Diff File

16
src/decode-ipv4.c
Unescape Escape View File

@ -522,13 +522,15 @@ void DecodeIPV4(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt,
/* do hdr test, process hdr rules */
#ifdef DEBUG
/* debug print */
char s[16], d[16];
inet_ntop(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), s, sizeof(s));
inet_ntop(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), d, sizeof(d));
SCLogDebug("IPV4 %s->%s PROTO: %" PRIu32 " OFFSET: %" PRIu32 " RF: %" PRIu32 " DF: %" PRIu32 " MF: %" PRIu32 " ID: %" PRIu32 "", s,d,
IPV4_GET_IPPROTO(p), IPV4_GET_IPOFFSET(p), IPV4_GET_RF(p),
IPV4_GET_DF(p), IPV4_GET_MF(p), IPV4_GET_IPID(p));
if (SCLogDebugEnabled()) { /* only convert the addresses if debug is really enabled */
/* debug print */
char s[16], d[16];
inet_ntop(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), s, sizeof(s));
inet_ntop(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), d, sizeof(d));
SCLogDebug("IPV4 %s->%s PROTO: %" PRIu32 " OFFSET: %" PRIu32 " RF: %" PRIu32 " DF: %" PRIu32 " MF: %" PRIu32 " ID: %" PRIu32 "", s,d,
IPV4_GET_IPPROTO(p), IPV4_GET_IPOFFSET(p), IPV4_GET_RF(p),
IPV4_GET_DF(p), IPV4_GET_MF(p), IPV4_GET_IPID(p));
}
#endif /* DEBUG */
/* check what next decoder to invoke */

16
src/decode-ipv6.c
Unescape Escape View File

@ -421,13 +421,15 @@ void DecodeIPV6(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt,
}
#ifdef DEBUG
/* debug print */
char s[46], d[46];
inet_ntop(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), s, sizeof(s));
inet_ntop(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), d, sizeof(d));
SCLogDebug("IPV6 %s->%s - CLASS: %" PRIu32 " FLOW: %" PRIu32 " NH: %" PRIu32 " PLEN: %" PRIu32 " HLIM: %" PRIu32 "", s,d,
IPV6_GET_CLASS(p), IPV6_GET_FLOW(p), IPV6_GET_NH(p), IPV6_GET_PLEN(p),
IPV6_GET_HLIM(p));
if (SCLogDebugEnabled()) { /* only convert the addresses if debug is really enabled */
/* debug print */
char s[46], d[46];
inet_ntop(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), s, sizeof(s));
inet_ntop(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), d, sizeof(d));
SCLogDebug("IPV6 %s->%s - CLASS: %" PRIu32 " FLOW: %" PRIu32 " NH: %" PRIu32 " PLEN: %" PRIu32 " HLIM: %" PRIu32 "", s,d,
IPV6_GET_CLASS(p), IPV6_GET_FLOW(p), IPV6_GET_NH(p), IPV6_GET_PLEN(p),
IPV6_GET_HLIM(p));
}
#endif /* DEBUG */
/* now process the Ext headers and/or the L4 Layer */

24
src/detect-engine-threshold.c
Unescape Escape View File

@ -164,35 +164,41 @@ DetectThresholdEntry *ThresholdHashSearch(DetectEngineCtx *de_ctx, DetectThresho
static inline void ThresholdTimeoutRemove(DetectEngineCtx *de_ctx, struct timeval *tv)
{
HashListTableBucket *next = HashListTableGetListHead(de_ctx->ths_ctx.threshold_hash_table_src);
for ( ; next != NULL; next = HashListTableGetListNext(next)) {
DetectThresholdEntry *tsh = HashListTableGetListData(next);
HashListTableBucket *next = NULL;
HashListTableBucket *buck = HashListTableGetListHead(de_ctx->ths_ctx.threshold_hash_table_src);
while (buck != NULL) {
/* get the next before we free "buck" */
next = HashListTableGetListNext(buck);
DetectThresholdEntry *tsh = HashListTableGetListData(buck);
if (tsh == NULL)
continue;
goto next;
if ((tv->tv_sec - tsh->tv_sec1) <= tsh->seconds)
continue;
goto next;
switch(tsh->ipv) {
case 4:
if (tsh->type == TRACK_SRC) {
if (tsh->track == TRACK_SRC) {
HashListTableRemove(de_ctx->ths_ctx.threshold_hash_table_src,
tsh, sizeof(DetectThresholdEntry));
} else if (tsh->type == TRACK_DST) {
} else if (tsh->track == TRACK_DST) {
HashListTableRemove(de_ctx->ths_ctx.threshold_hash_table_dst,
tsh, sizeof(DetectThresholdEntry));
}
break;
case 6:
if (tsh->type == TRACK_SRC) {
if (tsh->track == TRACK_SRC) {
HashListTableRemove(de_ctx->ths_ctx.threshold_hash_table_src_ipv6,
tsh, sizeof(DetectThresholdEntry));
} else if (tsh->type == TRACK_DST) {
} else if (tsh->track == TRACK_DST) {
HashListTableRemove(de_ctx->ths_ctx.threshold_hash_table_dst_ipv6,
tsh, sizeof(DetectThresholdEntry));
}
break;
}
next:
buck = next;
}
return;

16
src/detect-threshold.h
Unescape Escape View File

@ -42,27 +42,23 @@
*/
typedef struct DetectThresholdData_ {
uint8_t type; /**< Threshold type : limit , threshold, both, detection_filter */
uint8_t track; /**< Track type: by_src, by_src */
uint32_t count; /**< Event count */
uint32_t seconds; /**< Event seconds */
uint32_t sid; /**< Signature id */
uint8_t gid; /**< Signature group id */
uint8_t ipv; /**< Packet ip version */
uint8_t type; /**< Threshold type : limit , threshold, both, detection_filter */
uint8_t track; /**< Track type: by_src, by_dst */
} DetectThresholdData;
typedef struct DetectThresholdEntry_ {
uint8_t type; /**< Threshold type : limit , threshold, both */
uint8_t track; /**< Track type: by_src, by_src */
uint32_t seconds; /**< Event seconds */
uint32_t sid; /**< Signature id */
uint8_t gid; /**< Signature group id */
uint8_t ipv; /**< Packet ip version */
Address addr; /**< Var used to store dst or src addr */
uint32_t tv_sec1; /**< Var for time control */
uint32_t current_count; /**< Var for count control */
Address addr; /**< Var used to store dst or src addr */
uint8_t gid; /**< Signature group id */
uint8_t ipv; /**< Packet ip version */
uint8_t track; /**< Track type: by_src, by_src */
} DetectThresholdEntry;

Write Preview
Loading…
Cancel
Save