Split Thresholds and Suppression

Thresholds and suppression can be handled independently. Suppression
only suppresses output, and is not related to Threshold state tracking.

This simplifies mixing suppression and thresholding rules.

Part of the Bug #425 effort.

src/detect-engine-alert.c

@@ -69,27 +69,49 @@ static int PacketAlertHandle(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det
     SCEnter();
     int ret = 1;
     DetectThresholdData *td = NULL;
-    SigMatch *sm = NULL;
+    SigMatch *sm;
 
     if (!(PKT_IS_IPV4(p) || PKT_IS_IPV6(p))) {
         SCReturnInt(1);
     }
 
-    do {
-        td = SigGetThresholdTypeIter(s, p, &sm);
-        if (td != NULL) {
-            SCLogDebug("td %p", td);
-
-            /* PacketAlertThreshold returns 2 if the alert is suppressed but
-             * we do need to apply rule actions to the packet. */
-            ret = PacketAlertThreshold(de_ctx, det_ctx, td, p, s);
-            if (ret == 0 || ret == 2) {
-                /* It doesn't match threshold, remove it */
-                SCReturnInt(ret);
+    /* handle suppressions first */
+    if (s->sm_lists[DETECT_SM_LIST_SUPPRESS] != NULL) {
+        sm = NULL;
+        do {
+            td = SigGetThresholdTypeIter(s, p, &sm, DETECT_SM_LIST_SUPPRESS);
+            if (td != NULL) {
+                SCLogDebug("td %p", td);
+
+                /* PacketAlertThreshold returns 2 if the alert is suppressed but
+                 * we do need to apply rule actions to the packet. */
+                ret = PacketAlertThreshold(de_ctx, det_ctx, td, p, s);
+                if (ret == 0 || ret == 2) {
+                    /* It doesn't match threshold, remove it */
+                    SCReturnInt(ret);
+                }
             }
-        }
-    } while (sm != NULL);
+        } while (sm != NULL);
+    }
 
+    /* if we're still here, consider thresholding */
+    if (s->sm_lists[DETECT_SM_LIST_THRESHOLD] != NULL) {
+        sm = NULL;
+        do {
+            td = SigGetThresholdTypeIter(s, p, &sm, DETECT_SM_LIST_THRESHOLD);
+            if (td != NULL) {
+                SCLogDebug("td %p", td);
+
+                /* PacketAlertThreshold returns 2 if the alert is suppressed but
+                 * we do need to apply rule actions to the packet. */
+                ret = PacketAlertThreshold(de_ctx, det_ctx, td, p, s);
+                if (ret == 0 || ret == 2) {
+                    /* It doesn't match threshold, remove it */
+                    SCReturnInt(ret);
+                }
+            }
+        } while (sm != NULL);
+    }
     SCReturnInt(1);
 }
 

src/detect-engine-threshold.c

@@ -95,7 +95,7 @@ int ThresholdHostHasThreshold(Host *host) {
  *
  *
  */
-DetectThresholdData *SigGetThresholdTypeIter(Signature *sig, Packet *p, SigMatch **psm)
+DetectThresholdData *SigGetThresholdTypeIter(Signature *sig, Packet *p, SigMatch **psm, int list)
 {
     SigMatch *sm = NULL;
     DetectThresholdData *tsh = NULL;
@@ -104,7 +104,7 @@ DetectThresholdData *SigGetThresholdTypeIter(Signature *sig, Packet *p, SigMatch
         return NULL;
 
     if (*psm == NULL) {
-        sm = sig->sm_lists_tail[DETECT_SM_LIST_THRESHOLD];
+        sm = sig->sm_lists_tail[list];
     } else {
         /* Iteration in progress, using provided value */
         sm = *psm;
@@ -127,20 +127,6 @@ DetectThresholdData *SigGetThresholdTypeIter(Signature *sig, Packet *p, SigMatch
     return NULL;
 }
 
-/**
- * \brief Check if a certain signature has threshold option
- *
- * \param sig Signature pointer
- * \param p Packet structure
- *
- * \retval tsh Return the threshold data from signature or NULL if not found
- */
-DetectThresholdData *SigGetThresholdType(Signature *sig, Packet *p)
-{
-    SigMatch *psm = NULL;
-    return SigGetThresholdTypeIter(sig, p, &psm);
-}
-
 /**
  * \brief Remove timeout threshold hash elements
  *

src/detect-engine-threshold.h

@@ -31,8 +31,7 @@
 int ThresholdHostStorageId(void);
 int ThresholdHostHasThreshold(Host *);
 
-DetectThresholdData *SigGetThresholdType(Signature *, Packet *);
-DetectThresholdData *SigGetThresholdTypeIter(Signature *, Packet *, SigMatch **);
+DetectThresholdData *SigGetThresholdTypeIter(Signature *, Packet *, SigMatch **, int list);
 int PacketAlertThreshold(DetectEngineCtx *, DetectEngineThreadCtx *,
                           DetectThresholdData *, Packet *, Signature *);
 

src/detect.h

@@ -122,7 +122,8 @@ enum {
     /* list for post match actions: flowbit set, flowint increment, etc */
     DETECT_SM_LIST_POSTMATCH,
 
-    /* list for alert thresholding */
+    /* lists for alert thresholding and suppression */
+    DETECT_SM_LIST_SUPPRESS,
     DETECT_SM_LIST_THRESHOLD,
     DETECT_SM_LIST_MAX,