fix rate filter alert suppression. Log error if rate filter has count of 0. Other minor fixes as well

13 years ago · c34713321a
parent 887b4e0b6a
commit c34713321a
3 changed files with 9 additions and 3 deletions
--- a/src/detect-engine-alert.c
+++ b/src/detect-engine-alert.c
@ -251,14 +251,14 @@ void PacketAlertFinalize(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx
            /* set verdict on packet */
            p->action |= p->alerts.alerts[i].action;

-            if (p->alerts.alerts[i].action & ACTION_PASS) {
+            if (p->action & ACTION_PASS) {
                /* Ok, reset the alert cnt to end in the previous of pass
                 * so we ignore the rest with less prio */
                p->alerts.cnt = i;
                break;
            /* if the signature wants to drop, check if the
             * PACKET_ALERT_FLAG_DROP_FLOW flag is set. */
-            } else if (p->alerts.alerts[i].action & ACTION_DROP &&
+            } else if (p->action & ACTION_DROP &&
                    ((p->alerts.alerts[i].flags & PACKET_ALERT_FLAG_DROP_FLOW) ||
                         (s->flags & SIG_FLAG_APPLAYER))
                       && p->flow != NULL)
--- a/src/detect-engine-threshold.c
+++ b/src/detect-engine-threshold.c
@ -360,6 +360,8 @@ int ThresholdHandlePacketHost(Host *h, Packet *p, DetectThresholdData *td, uint3
        {
            SCLogDebug("rate_filter");

+            ret = 1;
+
            if (lookup_tsh != NULL) {
                /* Check if we have a timeout enabled, if so,
                 * we still matching (and enabling the new_action) */
@ -392,7 +394,7 @@ int ThresholdHandlePacketHost(Host *h, Packet *p, DetectThresholdData *td, uint3
                /* Update the matching state with the timeout interval */
                if ( (p->ts.tv_sec - lookup_tsh->tv_sec1) < td->seconds) {
                    lookup_tsh->current_count++;
-                    if (lookup_tsh->current_count >= td->count) {
+                    if (lookup_tsh->current_count > td->count) {
                        /* Then we must enable the new action by setting a
                         * timeout */
                        lookup_tsh->tv_timeout = p->ts.tv_sec;
--- a/src/util-threshold-config.c
+++ b/src/util-threshold-config.c
@ -481,6 +481,10 @@ int SCThresholdConfAddThresholdtype(char *rawstr, DetectEngineCtx *de_ctx)
            if (ByteExtractStringUint32(&parsed_count, 10, strlen(th_count), th_count) <= 0) {
                goto error;
            }
+            if (parsed_count == 0) {
+                SCLogError(SC_ERR_INVALID_VALUE, "rate filter count should be > 0");
+                goto error;
+            }

            if (ByteExtractStringUint32(&parsed_seconds, 10, strlen(th_seconds), th_seconds) <= 0) {
                goto error;