aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

fix rate filter alert suppression. Log error if rate filter has count of 0. Other minor fixes as well

Browse Source
remotes/origin/HEAD
Anoop Saldanha 13 years ago committed by Victor Julien
parent 887b4e0b6a
commit c34713321a
3 changed files with 9 additions and 3 deletions
Show Stats Download Patch File Download Diff File

4
src/detect-engine-alert.c
Unescape Escape View File

@ -251,14 +251,14 @@ void PacketAlertFinalize(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx
/* set verdict on packet */ /* set verdict on packet */
p->action |= p->alerts.alerts[i].action; p->action |= p->alerts.alerts[i].action;
if (p->alerts.alerts[i].action & ACTION_PASS) { if (p->action & ACTION_PASS) {
/* Ok, reset the alert cnt to end in the previous of pass /* Ok, reset the alert cnt to end in the previous of pass
* so we ignore the rest with less prio */ * so we ignore the rest with less prio */
p->alerts.cnt = i; p->alerts.cnt = i;
break; break;
/* if the signature wants to drop, check if the /* if the signature wants to drop, check if the
* PACKET_ALERT_FLAG_DROP_FLOW flag is set. */ * PACKET_ALERT_FLAG_DROP_FLOW flag is set. */
} else if (p->alerts.alerts[i].action & ACTION_DROP && } else if (p->action & ACTION_DROP &&
((p->alerts.alerts[i].flags & PACKET_ALERT_FLAG_DROP_FLOW) || ((p->alerts.alerts[i].flags & PACKET_ALERT_FLAG_DROP_FLOW) ||
(s->flags & SIG_FLAG_APPLAYER)) (s->flags & SIG_FLAG_APPLAYER))
&& p->flow != NULL) && p->flow != NULL)

4
src/detect-engine-threshold.c
Unescape Escape View File

@ -360,6 +360,8 @@ int ThresholdHandlePacketHost(Host *h, Packet *p, DetectThresholdData *td, uint3
{ {
SCLogDebug("rate_filter"); SCLogDebug("rate_filter");
ret = 1;
if (lookup_tsh != NULL) { if (lookup_tsh != NULL) {
/* Check if we have a timeout enabled, if so, /* Check if we have a timeout enabled, if so,
* we still matching (and enabling the new_action) */ * we still matching (and enabling the new_action) */
@ -392,7 +394,7 @@ int ThresholdHandlePacketHost(Host *h, Packet *p, DetectThresholdData *td, uint3
/* Update the matching state with the timeout interval */ /* Update the matching state with the timeout interval */
if ( (p->ts.tv_sec - lookup_tsh->tv_sec1) < td->seconds) { if ( (p->ts.tv_sec - lookup_tsh->tv_sec1) < td->seconds) {
lookup_tsh->current_count++; lookup_tsh->current_count++;
if (lookup_tsh->current_count >= td->count) { if (lookup_tsh->current_count > td->count) {
/* Then we must enable the new action by setting a /* Then we must enable the new action by setting a
* timeout */ * timeout */
lookup_tsh->tv_timeout = p->ts.tv_sec; lookup_tsh->tv_timeout = p->ts.tv_sec;

4
src/util-threshold-config.c
Unescape Escape View File

@ -481,6 +481,10 @@ int SCThresholdConfAddThresholdtype(char *rawstr, DetectEngineCtx *de_ctx)
if (ByteExtractStringUint32(&parsed_count, 10, strlen(th_count), th_count) <= 0) { if (ByteExtractStringUint32(&parsed_count, 10, strlen(th_count), th_count) <= 0) {
goto error; goto error;
} }
if (parsed_count == 0) {
SCLogError(SC_ERR_INVALID_VALUE, "rate filter count should be > 0");
goto error;
}
if (ByteExtractStringUint32(&parsed_seconds, 10, strlen(th_seconds), th_seconds) <= 0) { if (ByteExtractStringUint32(&parsed_seconds, 10, strlen(th_seconds), th_seconds) <= 0) {
goto error; goto error;

Write Preview
Loading…
Cancel
Save