threshold: allow threshold.config to override rule

Allow threshold.conf to override rule thresholds in the following cases: - threshold.config rule uses threshold or event_filter AND - threshold.config rule applies to a single signature (so no gid 0 or sid 0) Confirmed to work with both threshold and detection_filter rule keywords. Part of bug #425.
13 years ago · 82fc61770b
parent a0c43a8a1c
commit 82fc61770b
1 changed files with 24 additions and 8 deletions
--- a/src/util-threshold-config.c
+++ b/src/util-threshold-config.c
@ -728,15 +728,18 @@ int SCThresholdConfAddThresholdtype(char *rawstr, DetectEngineCtx *de_ctx)
                sig->flags |= SIG_FLAG_NOALERT;
                goto end;
            }
-            if (parsed_type != TYPE_SUPPRESS) {
+
+            if (parsed_type != TYPE_SUPPRESS && parsed_type != TYPE_THRESHOLD &&
+                parsed_type != TYPE_BOTH && parsed_type != TYPE_LIMIT)
+            {
                m = SigMatchGetLastSMFromLists(sig, 2,
                        DETECT_THRESHOLD, sig->sm_lists[DETECT_SM_LIST_THRESHOLD]);

                if (m != NULL) {
                    SCLogWarning(SC_ERR_EVENT_ENGINE, "signature sid:%"PRIu32 " has "
-                            "an event var set.  The signature event var is "
-                            "given precedence over the threshold.conf one.  "
-                            "We'll change this in the future though.", id);
+                            "a threshold set. The signature event var is "
+                            "given precedence over the threshold.conf one. "
+                            "Bug #425.", sig->id);
                    goto end;
                }

@ -745,11 +748,25 @@ int SCThresholdConfAddThresholdtype(char *rawstr, DetectEngineCtx *de_ctx)

                if (m != NULL) {
                    SCLogWarning(SC_ERR_EVENT_ENGINE, "signature sid:%"PRIu32 " has "
-                            "an event var set.  The signature event var is "
-                            "given precedence over the threshold.conf one.  "
-                            "We'll change this in the future though.", id);
+                            "a detection_filter set. The signature event var is "
+                            "given precedence over the threshold.conf one. "
+                            "Bug #425.", sig->id);
                    goto end;
                }
+
+            /* replace threshold on sig if we have a global override for it */
+            } else if (parsed_type == TYPE_THRESHOLD || parsed_type == TYPE_BOTH || parsed_type == TYPE_LIMIT) {
+                m = SigMatchGetLastSMFromLists(sig, 2,
+                        DETECT_THRESHOLD, sig->sm_lists[DETECT_SM_LIST_THRESHOLD]);
+                if (m == NULL) {
+                    m = SigMatchGetLastSMFromLists(sig, 2,
+                            DETECT_DETECTION_FILTER, sig->sm_lists[DETECT_SM_LIST_THRESHOLD]);
+                }
+                if (m != NULL) {
+                    SigMatchRemoveSMFromList(sig, m, DETECT_SM_LIST_THRESHOLD);
+                    SigMatchFree(m);
+                    m = NULL;
+                }
            }

            de = SCMalloc(sizeof(DetectThresholdData));
@ -803,7 +820,6 @@ int SCThresholdConfAddThresholdtype(char *rawstr, DetectEngineCtx *de_ctx)

            SigMatchAppendSMToList(sig, sm, DETECT_SM_LIST_THRESHOLD);
        }
-
    }

 end: