aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

threshold: allow threshold.config to override rule

Browse Source 
Allow threshold.conf to override rule thresholds in the following
cases:

- threshold.config rule uses threshold or event_filter AND
- threshold.config rule applies to a single signature (so no
  gid 0 or sid 0)

Confirmed to work with both threshold and detection_filter rule
keywords.

Part of bug #425.
pull/95/merge
Victor Julien 13 years ago
parent a0c43a8a1c
commit 82fc61770b
1 changed files with 24 additions and 8 deletions
Show Stats Download Patch File Download Diff File

28
src/util-threshold-config.c
Unescape Escape View File

@ -728,15 +728,18 @@ int SCThresholdConfAddThresholdtype(char *rawstr, DetectEngineCtx *de_ctx)
sig->flags |= SIG_FLAG_NOALERT; sig->flags |= SIG_FLAG_NOALERT;
goto end; goto end;
} }
if (parsed_type != TYPE_SUPPRESS) {
if (parsed_type != TYPE_SUPPRESS && parsed_type != TYPE_THRESHOLD &&
parsed_type != TYPE_BOTH && parsed_type != TYPE_LIMIT)
{
m = SigMatchGetLastSMFromLists(sig, 2, m = SigMatchGetLastSMFromLists(sig, 2,
DETECT_THRESHOLD, sig->sm_lists[DETECT_SM_LIST_THRESHOLD]); DETECT_THRESHOLD, sig->sm_lists[DETECT_SM_LIST_THRESHOLD]);
if (m != NULL) { if (m != NULL) {
SCLogWarning(SC_ERR_EVENT_ENGINE, "signature sid:%"PRIu32 " has " SCLogWarning(SC_ERR_EVENT_ENGINE, "signature sid:%"PRIu32 " has "
"an event var set. The signature event var is " "a threshold set. The signature event var is "
"given precedence over the threshold.conf one. " "given precedence over the threshold.conf one. "
"We'll change this in the future though.", id); "Bug #425.", sig->id);
goto end; goto end;
} }
@ -745,11 +748,25 @@ int SCThresholdConfAddThresholdtype(char *rawstr, DetectEngineCtx *de_ctx)
if (m != NULL) { if (m != NULL) {
SCLogWarning(SC_ERR_EVENT_ENGINE, "signature sid:%"PRIu32 " has " SCLogWarning(SC_ERR_EVENT_ENGINE, "signature sid:%"PRIu32 " has "
"an event var set. The signature event var is " "a detection_filter set. The signature event var is "
"given precedence over the threshold.conf one. " "given precedence over the threshold.conf one. "
"We'll change this in the future though.", id); "Bug #425.", sig->id);
goto end; goto end;
} }
/* replace threshold on sig if we have a global override for it */
} else if (parsed_type == TYPE_THRESHOLD || parsed_type == TYPE_BOTH || parsed_type == TYPE_LIMIT) {
m = SigMatchGetLastSMFromLists(sig, 2,
DETECT_THRESHOLD, sig->sm_lists[DETECT_SM_LIST_THRESHOLD]);
if (m == NULL) {
m = SigMatchGetLastSMFromLists(sig, 2,
DETECT_DETECTION_FILTER, sig->sm_lists[DETECT_SM_LIST_THRESHOLD]);
}
if (m != NULL) {
SigMatchRemoveSMFromList(sig, m, DETECT_SM_LIST_THRESHOLD);
SigMatchFree(m);
m = NULL;
}
} }
de = SCMalloc(sizeof(DetectThresholdData)); de = SCMalloc(sizeof(DetectThresholdData));
@ -803,7 +820,6 @@ int SCThresholdConfAddThresholdtype(char *rawstr, DetectEngineCtx *de_ctx)
SigMatchAppendSMToList(sig, sm, DETECT_SM_LIST_THRESHOLD); SigMatchAppendSMToList(sig, sm, DETECT_SM_LIST_THRESHOLD);
} }
} }
end: end:

Write Preview
Loading…
Cancel
Save