aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Move rate_filter rule tracking data from Signature to Threshold context

Browse Source
remotes/origin/master-1.0.x
Pablo Rincon 15 years ago committed by Victor Julien
parent 1ae36b9a6a
commit 6950537a76
3 changed files with 41 additions and 3 deletions
Show Stats Download Patch File Download Diff File

7
src/detect-engine-threshold.c
Unescape Escape View File

@ -463,7 +463,7 @@ int PacketAlertThreshold(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx
if (td->track != TRACK_RULE) if (td->track != TRACK_RULE)
lookup_tsh = ThresholdHashSearch(de_ctx, &ste, p); lookup_tsh = ThresholdHashSearch(de_ctx, &ste, p);
else else
lookup_tsh = s->th_entry; lookup_tsh = (DetectThresholdEntry *)de_ctx->ths_ctx.th_entry[s->num];
if (lookup_tsh != NULL) { if (lookup_tsh != NULL) {
/* Check if we have a timeout enabled, if so, /* Check if we have a timeout enabled, if so,
@ -543,7 +543,7 @@ int PacketAlertThreshold(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx
if (td->track != TRACK_RULE) if (td->track != TRACK_RULE)
ThresholdHashAdd(de_ctx, e, p); ThresholdHashAdd(de_ctx, e, p);
else else
s->th_entry = e; de_ctx->ths_ctx.th_entry[s->num] = e;
} }
break; break;
} }
@ -666,6 +666,7 @@ void ThresholdHashInit(DetectEngineCtx *de_ctx)
exit(EXIT_FAILURE); exit(EXIT_FAILURE);
} }
} }
} }
/** /**
@ -680,5 +681,7 @@ void ThresholdContextDestroy(DetectEngineCtx *de_ctx)
HashListTableFree(de_ctx->ths_ctx.threshold_hash_table_src); HashListTableFree(de_ctx->ths_ctx.threshold_hash_table_src);
HashListTableFree(de_ctx->ths_ctx.threshold_hash_table_dst_ipv6); HashListTableFree(de_ctx->ths_ctx.threshold_hash_table_dst_ipv6);
HashListTableFree(de_ctx->ths_ctx.threshold_hash_table_src_ipv6); HashListTableFree(de_ctx->ths_ctx.threshold_hash_table_src_ipv6);
if (de_ctx->ths_ctx.th_entry != NULL)
SCFree(de_ctx->ths_ctx.th_entry);
} }

4
src/detect.h
Unescape Escape View File

@ -375,6 +375,10 @@ typedef struct ThresholdCtx_ {
HashListTable *threshold_hash_table_dst_ipv6; /**< Ipv6 dst hash table */ HashListTable *threshold_hash_table_dst_ipv6; /**< Ipv6 dst hash table */
HashListTable *threshold_hash_table_src_ipv6; /**< Ipv6 src hash table */ HashListTable *threshold_hash_table_src_ipv6; /**< Ipv6 src hash table */
SCMutex threshold_table_lock; /**< Mutex for hash table */ SCMutex threshold_table_lock; /**< Mutex for hash table */
/** to support rate_filter "by_rule" option */
DetectThresholdEntry **th_entry;
uint32_t th_size;
} ThresholdCtx; } ThresholdCtx;
/** \brief main detection engine ctx */ /** \brief main detection engine ctx */

33
src/util-threshold-config.c
Unescape Escape View File

@ -390,6 +390,16 @@ int SCThresholdConfAddThresholdtype(char *rawstr, DetectEngineCtx *de_ctx)
sm->type = DETECT_THRESHOLD; sm->type = DETECT_THRESHOLD;
sm->ctx = (void *)de; sm->ctx = (void *)de;
if (parsed_track == TRACK_RULE) {
de_ctx->ths_ctx.th_entry = SCRealloc(de_ctx->ths_ctx.th_entry, (de_ctx->ths_ctx.th_size + 1) * sizeof(DetectThresholdEntry *));
if (de_ctx->ths_ctx.th_entry == NULL) {
SCLogError(SC_ERR_MEM_ALLOC, "Error allocating memory for threshold config"
" (tried to allocate %"PRIu32"th_entrys for rule tracking with rate_filter)", de_ctx->ths_ctx.th_size + 1);
} else {
de_ctx->ths_ctx.th_entry[de_ctx->ths_ctx.th_size] = NULL;
de_ctx->ths_ctx.th_size++;
}
}
SigMatchAppendPacket(s, sm); SigMatchAppendPacket(s, sm);
s = ns; s = ns;
} }
@ -437,6 +447,16 @@ int SCThresholdConfAddThresholdtype(char *rawstr, DetectEngineCtx *de_ctx)
sm->type = DETECT_THRESHOLD; sm->type = DETECT_THRESHOLD;
sm->ctx = (void *)de; sm->ctx = (void *)de;
if (parsed_track == TRACK_RULE) {
de_ctx->ths_ctx.th_entry = SCRealloc(de_ctx->ths_ctx.th_entry, (de_ctx->ths_ctx.th_size + 1) * sizeof(DetectThresholdEntry *));
if (de_ctx->ths_ctx.th_entry == NULL) {
SCLogError(SC_ERR_MEM_ALLOC, "Error allocating memory for threshold config"
" (tried to allocate %"PRIu32"th_entrys for rule tracking with rate_filter)", de_ctx->ths_ctx.th_size + 1);
} else {
de_ctx->ths_ctx.th_entry[de_ctx->ths_ctx.th_size] = NULL;
de_ctx->ths_ctx.th_size++;
}
}
SigMatchAppendPacket(s, sm); SigMatchAppendPacket(s, sm);
} }
s = ns; s = ns;
@ -481,6 +501,17 @@ int SCThresholdConfAddThresholdtype(char *rawstr, DetectEngineCtx *de_ctx)
sm->type = DETECT_THRESHOLD; sm->type = DETECT_THRESHOLD;
sm->ctx = (void *)de; sm->ctx = (void *)de;
if (parsed_track == TRACK_RULE) {
de_ctx->ths_ctx.th_entry = SCRealloc(de_ctx->ths_ctx.th_entry, (de_ctx->ths_ctx.th_size + 1) * sizeof(DetectThresholdEntry *));
if (de_ctx->ths_ctx.th_entry == NULL) {
SCLogError(SC_ERR_MEM_ALLOC, "Error allocating memory for threshold config"
" (tried to allocate %"PRIu32"th_entrys for rule tracking with rate_filter)", de_ctx->ths_ctx.th_size + 1);
} else {
de_ctx->ths_ctx.th_entry[de_ctx->ths_ctx.th_size] = NULL;
de_ctx->ths_ctx.th_size++;
}
}
SigMatchAppendPacket(sig, sm); SigMatchAppendPacket(sig, sm);
} }
@ -1398,7 +1429,7 @@ int SCThresholdConfTest10(void)
result = 1; result = 1;
/* Ensure that a Threshold entry was installed at the sig */ /* Ensure that a Threshold entry was installed at the sig */
if (sig->th_entry == NULL) { if (de_ctx->ths_ctx.th_entry[sig->num] == NULL) {
result = 0; result = 0;
goto end; goto end;
} }

Write Preview
Loading…
Cancel
Save