aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Move threshold to it's own sig match list.

Browse Source
remotes/origin/master
Victor Julien 13 years ago
parent 65d1783b45
commit c8c4a76dc6
7 changed files with 35 additions and 21 deletions
Show Stats Download Patch File Download Diff File

2
src/detect-detection-filter.c
Unescape Escape View File

@ -250,7 +250,7 @@ int DetectDetectionFilterSetup (DetectEngineCtx *de_ctx, Signature *s, char *raw
sm->type = DETECT_DETECTION_FILTER;
sm->ctx = (void *)df;
SigMatchAppendPacket(s, sm);
SigMatchAppendThreshold(s, sm);
return 0;

2
src/detect-engine-threshold.c
Unescape Escape View File

@ -83,7 +83,7 @@ DetectThresholdData *SigGetThresholdTypeIter(Signature *sig, Packet *p, SigMatch
return NULL;
if (*psm == NULL) {
sm = sig->sm_lists_tail[DETECT_SM_LIST_MATCH];
sm = sig->sm_lists_tail[DETECT_SM_LIST_THRESHOLD];
} else {
/* Iteration in progress, using provided value */
sm = *psm;

9
src/detect-parse.c
Unescape Escape View File

@ -327,6 +327,15 @@ void SigMatchAppendPacket(Signature *s, SigMatch *new) {
s->sm_cnt++;
}
/** \brief Append a sig match to the signatures threshold list
*
* \param s signature
* \param new sigmatch to append
*/
void SigMatchAppendThreshold(Signature *s, SigMatch *new) {
SigMatchAppendSMToList(s, new, DETECT_SM_LIST_THRESHOLD);
}
/** \brief Append a sig match to the signatures post-match list
*
* \param s signature

1
src/detect-parse.h
Unescape Escape View File

@ -60,6 +60,7 @@ void SigMatchReplaceContentToUricontent(Signature *, SigMatch *, SigMatch *);
void SigMatchAppendPayload(Signature *, SigMatch *);
void SigMatchAppendDcePayload(Signature *, SigMatch *);
void SigMatchAppendPacket(Signature *, SigMatch *);
void SigMatchAppendThreshold(Signature *, SigMatch *);
void SigMatchAppendPostMatch(Signature *, SigMatch *);
void SigMatchAppendUricontent(Signature *, SigMatch *);
void SigMatchAppendAppLayer(Signature *, SigMatch *);

2
src/detect-threshold.c
Unescape Escape View File

@ -259,7 +259,7 @@ static int DetectThresholdSetup (DetectEngineCtx *de_ctx, Signature *s, char *ra
sm->type = DETECT_THRESHOLD;
sm->ctx = (void *)de;
SigMatchAppendPacket(s, sm);
SigMatchAppendThreshold(s, sm);
return 0;

4
src/detect.h
Unescape Escape View File

@ -103,7 +103,11 @@ enum {
DETECT_SM_LIST_FILEMATCH,
/* list for post match actions: flowbit set, flowint increment, etc */
DETECT_SM_LIST_POSTMATCH,
/* list for alert thresholding */
DETECT_SM_LIST_THRESHOLD,
DETECT_SM_LIST_MAX,
};

36
src/util-threshold-config.c
Unescape Escape View File

@ -513,12 +513,12 @@ int SCThresholdConfAddThresholdtype(char *rawstr, DetectEngineCtx *de_ctx)
ns = s->next;
m = SigMatchGetLastSM(s->sm_lists[DETECT_SM_LIST_MATCH], DETECT_THRESHOLD);
m = SigMatchGetLastSM(s->sm_lists[DETECT_SM_LIST_THRESHOLD], DETECT_THRESHOLD);
if(m != NULL)
goto end;
m = SigMatchGetLastSM(s->sm_lists[DETECT_SM_LIST_MATCH], DETECT_DETECTION_FILTER);
m = SigMatchGetLastSM(s->sm_lists[DETECT_SM_LIST_THRESHOLD], DETECT_DETECTION_FILTER);
if(m != NULL)
goto end;
@ -571,7 +571,7 @@ int SCThresholdConfAddThresholdtype(char *rawstr, DetectEngineCtx *de_ctx)
de_ctx->ths_ctx.th_size++;
}
}
SigMatchAppendPacket(s, sm);
SigMatchAppendThreshold(s, sm);
s = ns;
}
@ -582,12 +582,12 @@ int SCThresholdConfAddThresholdtype(char *rawstr, DetectEngineCtx *de_ctx)
if(s->gid == gid) {
m = SigMatchGetLastSM(s->sm_lists[DETECT_SM_LIST_MATCH], DETECT_THRESHOLD);
m = SigMatchGetLastSM(s->sm_lists[DETECT_SM_LIST_THRESHOLD], DETECT_THRESHOLD);
if(m != NULL)
goto end;
m = SigMatchGetLastSM(s->sm_lists[DETECT_SM_LIST_MATCH], DETECT_DETECTION_FILTER);
m = SigMatchGetLastSM(s->sm_lists[DETECT_SM_LIST_THRESHOLD], DETECT_DETECTION_FILTER);
if(m != NULL)
goto end;
@ -640,7 +640,7 @@ int SCThresholdConfAddThresholdtype(char *rawstr, DetectEngineCtx *de_ctx)
de_ctx->ths_ctx.th_size++;
}
}
SigMatchAppendPacket(s, sm);
SigMatchAppendThreshold(s, sm);
}
s = ns;
}
@ -653,12 +653,12 @@ int SCThresholdConfAddThresholdtype(char *rawstr, DetectEngineCtx *de_ctx)
goto end;
}
m = SigMatchGetLastSM(sig->sm_lists[DETECT_SM_LIST_MATCH], DETECT_THRESHOLD);
m = SigMatchGetLastSM(sig->sm_lists[DETECT_SM_LIST_THRESHOLD], DETECT_THRESHOLD);
if(m != NULL)
goto end;
m = SigMatchGetLastSM(sig->sm_lists[DETECT_SM_LIST_MATCH], DETECT_DETECTION_FILTER);
m = SigMatchGetLastSM(sig->sm_lists[DETECT_SM_LIST_THRESHOLD], DETECT_DETECTION_FILTER);
if(m != NULL)
goto end;
@ -712,7 +712,7 @@ int SCThresholdConfAddThresholdtype(char *rawstr, DetectEngineCtx *de_ctx)
}
}
SigMatchAppendPacket(sig, sm);
SigMatchAppendThreshold(sig, sm);
}
}
@ -1132,7 +1132,7 @@ int SCThresholdConfTest01(void)
fd = SCThresholdConfGenerateValidDummyFD01();
SCThresholdConfInitContext(de_ctx,fd);
m = SigMatchGetLastSM(sig->sm_lists[DETECT_SM_LIST_MATCH], DETECT_THRESHOLD);
m = SigMatchGetLastSM(sig->sm_lists[DETECT_SM_LIST_THRESHOLD], DETECT_THRESHOLD);
if(m != NULL) {
de = (DetectThresholdData *)m->ctx;
@ -1176,7 +1176,7 @@ int SCThresholdConfTest02(void)
fd = SCThresholdConfGenerateValidDummyFD01();
SCThresholdConfInitContext(de_ctx,fd);
m = SigMatchGetLastSM(sig->sm_lists[DETECT_SM_LIST_MATCH], DETECT_THRESHOLD);
m = SigMatchGetLastSM(sig->sm_lists[DETECT_SM_LIST_THRESHOLD], DETECT_THRESHOLD);
if(m != NULL) {
de = (DetectThresholdData *)m->ctx;
@ -1219,7 +1219,7 @@ int SCThresholdConfTest03(void)
fd = SCThresholdConfGenerateValidDummyFD01();
SCThresholdConfInitContext(de_ctx,fd);
m = SigMatchGetLastSM(sig->sm_lists[DETECT_SM_LIST_MATCH], DETECT_THRESHOLD);
m = SigMatchGetLastSM(sig->sm_lists[DETECT_SM_LIST_THRESHOLD], DETECT_THRESHOLD);
if(m != NULL) {
de = (DetectThresholdData *)m->ctx;
@ -1262,7 +1262,7 @@ int SCThresholdConfTest04(void)
fd = SCThresholdConfGenerateInValidDummyFD02();
SCThresholdConfInitContext(de_ctx,fd);
m = SigMatchGetLastSM(sig->sm_lists[DETECT_SM_LIST_MATCH], DETECT_THRESHOLD);
m = SigMatchGetLastSM(sig->sm_lists[DETECT_SM_LIST_THRESHOLD], DETECT_THRESHOLD);
if(m != NULL) {
de = (DetectThresholdData *)m->ctx;
@ -1323,7 +1323,7 @@ int SCThresholdConfTest05(void)
if(s->id == 1 || s->id == 10 || s->id == 100) {
m = SigMatchGetLastSM(s->sm_lists[DETECT_SM_LIST_MATCH], DETECT_THRESHOLD);
m = SigMatchGetLastSM(s->sm_lists[DETECT_SM_LIST_THRESHOLD], DETECT_THRESHOLD);
if(m == NULL) {
goto end;
@ -1376,7 +1376,7 @@ int SCThresholdConfTest06(void)
fd = SCThresholdConfGenerateValidDummyFD04();
SCThresholdConfInitContext(de_ctx,fd);
m = SigMatchGetLastSM(sig->sm_lists[DETECT_SM_LIST_MATCH], DETECT_THRESHOLD);
m = SigMatchGetLastSM(sig->sm_lists[DETECT_SM_LIST_THRESHOLD], DETECT_THRESHOLD);
if(m != NULL) {
de = (DetectThresholdData *)m->ctx;
@ -1420,7 +1420,7 @@ int SCThresholdConfTest07(void)
fd = SCThresholdConfGenerateValidDummyFD05();
SCThresholdConfInitContext(de_ctx,fd);
m = SigMatchGetLastSM(sig->sm_lists[DETECT_SM_LIST_MATCH], DETECT_DETECTION_FILTER);
m = SigMatchGetLastSM(sig->sm_lists[DETECT_SM_LIST_THRESHOLD], DETECT_DETECTION_FILTER);
if(m != NULL) {
de = (DetectThresholdData *)m->ctx;
@ -1465,7 +1465,7 @@ int SCThresholdConfTest08(void)
fd = SCThresholdConfGenerateValidDummyFD06();
SCThresholdConfInitContext(de_ctx,fd);
m = SigMatchGetLastSM(sig->sm_lists[DETECT_SM_LIST_MATCH], DETECT_DETECTION_FILTER);
m = SigMatchGetLastSM(sig->sm_lists[DETECT_SM_LIST_THRESHOLD], DETECT_DETECTION_FILTER);
if(m != NULL) {
de = (DetectThresholdData *)m->ctx;
@ -1930,7 +1930,7 @@ int SCThresholdConfTest13(void)
fd = SCThresholdConfGenerateValidDummyFD11();
SCThresholdConfInitContext(de_ctx,fd);
m = SigMatchGetLastSM(sig->sm_lists[DETECT_SM_LIST_MATCH], DETECT_THRESHOLD);
m = SigMatchGetLastSM(sig->sm_lists[DETECT_SM_LIST_THRESHOLD], DETECT_THRESHOLD);
if(m != NULL) {
de = (DetectThresholdData *)m->ctx;

Write Preview
Loading…
Cancel
Save