considering the tenths of a seconds in a packet, when calculating thresholds

13 years ago · b48a686d65
parent b899146229
commit b48a686d65
2 changed files with 7 additions and 1 deletions
--- a/src/detect-engine-threshold.c
+++ b/src/detect-engine-threshold.c
@ -323,7 +323,10 @@ int ThresholdHandlePacketHost(Host *h, Packet *p, DetectThresholdData *td, uint3
            SCLogDebug("detection_filter");

            if (lookup_tsh != NULL) {
-                if ((p->ts.tv_sec - lookup_tsh->tv_sec1) < td->seconds) {
+                long double time_diff = ((p->ts.tv_sec + p->ts.tv_usec/1000000.0) -
+                                         (lookup_tsh->tv_sec1 + lookup_tsh->tv_usec1/1000000.0));
+
+                if (time_diff < td->seconds) {
                    /* within timeout */

                    lookup_tsh->current_count++;
@ -334,6 +337,7 @@ int ThresholdHandlePacketHost(Host *h, Packet *p, DetectThresholdData *td, uint3
                    /* expired, reset */

                    lookup_tsh->tv_sec1 = p->ts.tv_sec;
+                    lookup_tsh->tv_usec1 = p->ts.tv_usec;
                    lookup_tsh->current_count = 1;
                }
            } else {
@ -344,6 +348,7 @@ int ThresholdHandlePacketHost(Host *h, Packet *p, DetectThresholdData *td, uint3

                e->current_count = 1;
                e->tv_sec1 = p->ts.tv_sec;
+                e->tv_usec1 = p->ts.tv_usec;

                e->next = h->threshold;
                h->threshold = e;
--- a/src/detect-threshold.h
+++ b/src/detect-threshold.h
@ -71,6 +71,7 @@ typedef struct DetectThresholdEntry_ {
                                 its not "seconds", that define the time interval */
    uint32_t seconds;       /**< Event seconds */
    uint32_t tv_sec1;       /**< Var for time control */
+    uint32_t tv_usec1;       /**< Var for time control */
    uint32_t current_count; /**< Var for count control */
    int track;          /**< Track type: by_src, by_src */