From c8c4a76dc6adc9520328d8ff4306a26995710a0d Mon Sep 17 00:00:00 2001
From: Victor Julien <victor@inliniac.net>
Date: Mon, 16 Jan 2012 13:57:46 +0100
Subject: [PATCH] Move threshold to it's own sig match list.

---
 src/detect-detection-filter.c |  2 +-
 src/detect-engine-threshold.c |  2 +-
 src/detect-parse.c            |  9 +++++++++
 src/detect-parse.h            |  1 +
 src/detect-threshold.c        |  2 +-
 src/detect.h                  |  4 ++++
 src/util-threshold-config.c   | 36 +++++++++++++++++------------------
 7 files changed, 35 insertions(+), 21 deletions(-)

diff --git a/src/detect-detection-filter.c b/src/detect-detection-filter.c
index 66aee5f1f0..c3a9926eee 100644
--- a/src/detect-detection-filter.c
+++ b/src/detect-detection-filter.c
@@ -250,7 +250,7 @@ int DetectDetectionFilterSetup (DetectEngineCtx *de_ctx, Signature *s, char *raw
     sm->type = DETECT_DETECTION_FILTER;
     sm->ctx = (void *)df;
 
-    SigMatchAppendPacket(s, sm);
+    SigMatchAppendThreshold(s, sm);
 
     return 0;
 
diff --git a/src/detect-engine-threshold.c b/src/detect-engine-threshold.c
index 25edccb81d..f6e4ddbaa5 100644
--- a/src/detect-engine-threshold.c
+++ b/src/detect-engine-threshold.c
@@ -83,7 +83,7 @@ DetectThresholdData *SigGetThresholdTypeIter(Signature *sig, Packet *p, SigMatch
         return NULL;
 
     if (*psm == NULL) {
-        sm = sig->sm_lists_tail[DETECT_SM_LIST_MATCH];
+        sm = sig->sm_lists_tail[DETECT_SM_LIST_THRESHOLD];
     } else {
         /* Iteration in progress, using provided value */
         sm = *psm;
diff --git a/src/detect-parse.c b/src/detect-parse.c
index 30e3087ac7..97b5701de0 100644
--- a/src/detect-parse.c
+++ b/src/detect-parse.c
@@ -327,6 +327,15 @@ void SigMatchAppendPacket(Signature *s, SigMatch *new) {
     s->sm_cnt++;
 }
 
+/** \brief Append a sig match to the signatures threshold list
+ *
+ *  \param s signature
+ *  \param new sigmatch to append
+ */
+void SigMatchAppendThreshold(Signature *s, SigMatch *new) {
+    SigMatchAppendSMToList(s, new, DETECT_SM_LIST_THRESHOLD);
+}
+
 /** \brief Append a sig match to the signatures post-match list
  *
  *  \param s signature
diff --git a/src/detect-parse.h b/src/detect-parse.h
index b15654b4e4..b111a1101e 100644
--- a/src/detect-parse.h
+++ b/src/detect-parse.h
@@ -60,6 +60,7 @@ void SigMatchReplaceContentToUricontent(Signature *, SigMatch *, SigMatch *);
 void SigMatchAppendPayload(Signature *, SigMatch *);
 void SigMatchAppendDcePayload(Signature *, SigMatch *);
 void SigMatchAppendPacket(Signature *, SigMatch *);
+void SigMatchAppendThreshold(Signature *, SigMatch *);
 void SigMatchAppendPostMatch(Signature *, SigMatch *);
 void SigMatchAppendUricontent(Signature *, SigMatch *);
 void SigMatchAppendAppLayer(Signature *, SigMatch *);
diff --git a/src/detect-threshold.c b/src/detect-threshold.c
index a6be04d20f..8ef23fa64a 100644
--- a/src/detect-threshold.c
+++ b/src/detect-threshold.c
@@ -259,7 +259,7 @@ static int DetectThresholdSetup (DetectEngineCtx *de_ctx, Signature *s, char *ra
     sm->type = DETECT_THRESHOLD;
     sm->ctx = (void *)de;
 
-    SigMatchAppendPacket(s, sm);
+    SigMatchAppendThreshold(s, sm);
 
     return 0;
 
diff --git a/src/detect.h b/src/detect.h
index 3bdd62c11f..1dfaabce46 100644
--- a/src/detect.h
+++ b/src/detect.h
@@ -103,7 +103,11 @@ enum {
 
     DETECT_SM_LIST_FILEMATCH,
 
+    /* list for post match actions: flowbit set, flowint increment, etc */
     DETECT_SM_LIST_POSTMATCH,
+
+    /* list for alert thresholding */
+    DETECT_SM_LIST_THRESHOLD,
     DETECT_SM_LIST_MAX,
 };
 
diff --git a/src/util-threshold-config.c b/src/util-threshold-config.c
index 23a53080c7..177e04609e 100644
--- a/src/util-threshold-config.c
+++ b/src/util-threshold-config.c
@@ -513,12 +513,12 @@ int SCThresholdConfAddThresholdtype(char *rawstr, DetectEngineCtx *de_ctx)
 
             ns = s->next;
 
-            m = SigMatchGetLastSM(s->sm_lists[DETECT_SM_LIST_MATCH], DETECT_THRESHOLD);
+            m = SigMatchGetLastSM(s->sm_lists[DETECT_SM_LIST_THRESHOLD], DETECT_THRESHOLD);
 
             if(m != NULL)
                 goto end;
 
-            m = SigMatchGetLastSM(s->sm_lists[DETECT_SM_LIST_MATCH], DETECT_DETECTION_FILTER);
+            m = SigMatchGetLastSM(s->sm_lists[DETECT_SM_LIST_THRESHOLD], DETECT_DETECTION_FILTER);
 
             if(m != NULL)
                 goto end;
@@ -571,7 +571,7 @@ int SCThresholdConfAddThresholdtype(char *rawstr, DetectEngineCtx *de_ctx)
                     de_ctx->ths_ctx.th_size++;
                 }
             }
-            SigMatchAppendPacket(s, sm);
+            SigMatchAppendThreshold(s, sm);
             s = ns;
         }
 
@@ -582,12 +582,12 @@ int SCThresholdConfAddThresholdtype(char *rawstr, DetectEngineCtx *de_ctx)
 
             if(s->gid == gid)   {
 
-                m = SigMatchGetLastSM(s->sm_lists[DETECT_SM_LIST_MATCH], DETECT_THRESHOLD);
+                m = SigMatchGetLastSM(s->sm_lists[DETECT_SM_LIST_THRESHOLD], DETECT_THRESHOLD);
 
                 if(m != NULL)
                     goto end;
 
-                m = SigMatchGetLastSM(s->sm_lists[DETECT_SM_LIST_MATCH], DETECT_DETECTION_FILTER);
+                m = SigMatchGetLastSM(s->sm_lists[DETECT_SM_LIST_THRESHOLD], DETECT_DETECTION_FILTER);
 
                 if(m != NULL)
                     goto end;
@@ -640,7 +640,7 @@ int SCThresholdConfAddThresholdtype(char *rawstr, DetectEngineCtx *de_ctx)
                         de_ctx->ths_ctx.th_size++;
                     }
                 }
-                SigMatchAppendPacket(s, sm);
+                SigMatchAppendThreshold(s, sm);
             }
             s = ns;
         }
@@ -653,12 +653,12 @@ int SCThresholdConfAddThresholdtype(char *rawstr, DetectEngineCtx *de_ctx)
                 goto end;
             }
 
-            m = SigMatchGetLastSM(sig->sm_lists[DETECT_SM_LIST_MATCH], DETECT_THRESHOLD);
+            m = SigMatchGetLastSM(sig->sm_lists[DETECT_SM_LIST_THRESHOLD], DETECT_THRESHOLD);
 
             if(m != NULL)
                 goto end;
 
-            m = SigMatchGetLastSM(sig->sm_lists[DETECT_SM_LIST_MATCH], DETECT_DETECTION_FILTER);
+            m = SigMatchGetLastSM(sig->sm_lists[DETECT_SM_LIST_THRESHOLD], DETECT_DETECTION_FILTER);
 
             if(m != NULL)
                 goto end;
@@ -712,7 +712,7 @@ int SCThresholdConfAddThresholdtype(char *rawstr, DetectEngineCtx *de_ctx)
                 }
             }
 
-            SigMatchAppendPacket(sig, sm);
+            SigMatchAppendThreshold(sig, sm);
         }
 
     }
@@ -1132,7 +1132,7 @@ int SCThresholdConfTest01(void)
     fd = SCThresholdConfGenerateValidDummyFD01();
     SCThresholdConfInitContext(de_ctx,fd);
 
-    m = SigMatchGetLastSM(sig->sm_lists[DETECT_SM_LIST_MATCH], DETECT_THRESHOLD);
+    m = SigMatchGetLastSM(sig->sm_lists[DETECT_SM_LIST_THRESHOLD], DETECT_THRESHOLD);
 
     if(m != NULL)   {
         de = (DetectThresholdData *)m->ctx;
@@ -1176,7 +1176,7 @@ int SCThresholdConfTest02(void)
     fd = SCThresholdConfGenerateValidDummyFD01();
     SCThresholdConfInitContext(de_ctx,fd);
 
-    m = SigMatchGetLastSM(sig->sm_lists[DETECT_SM_LIST_MATCH], DETECT_THRESHOLD);
+    m = SigMatchGetLastSM(sig->sm_lists[DETECT_SM_LIST_THRESHOLD], DETECT_THRESHOLD);
 
     if(m != NULL)   {
         de = (DetectThresholdData *)m->ctx;
@@ -1219,7 +1219,7 @@ int SCThresholdConfTest03(void)
     fd = SCThresholdConfGenerateValidDummyFD01();
     SCThresholdConfInitContext(de_ctx,fd);
 
-    m = SigMatchGetLastSM(sig->sm_lists[DETECT_SM_LIST_MATCH], DETECT_THRESHOLD);
+    m = SigMatchGetLastSM(sig->sm_lists[DETECT_SM_LIST_THRESHOLD], DETECT_THRESHOLD);
 
     if(m != NULL)   {
         de = (DetectThresholdData *)m->ctx;
@@ -1262,7 +1262,7 @@ int SCThresholdConfTest04(void)
     fd = SCThresholdConfGenerateInValidDummyFD02();
     SCThresholdConfInitContext(de_ctx,fd);
 
-    m = SigMatchGetLastSM(sig->sm_lists[DETECT_SM_LIST_MATCH], DETECT_THRESHOLD);
+    m = SigMatchGetLastSM(sig->sm_lists[DETECT_SM_LIST_THRESHOLD], DETECT_THRESHOLD);
 
     if(m != NULL)   {
         de = (DetectThresholdData *)m->ctx;
@@ -1323,7 +1323,7 @@ int SCThresholdConfTest05(void)
 
         if(s->id == 1 || s->id == 10 || s->id == 100) {
 
-            m = SigMatchGetLastSM(s->sm_lists[DETECT_SM_LIST_MATCH], DETECT_THRESHOLD);
+            m = SigMatchGetLastSM(s->sm_lists[DETECT_SM_LIST_THRESHOLD], DETECT_THRESHOLD);
 
             if(m == NULL)   {
                 goto end;
@@ -1376,7 +1376,7 @@ int SCThresholdConfTest06(void)
     fd = SCThresholdConfGenerateValidDummyFD04();
     SCThresholdConfInitContext(de_ctx,fd);
 
-    m = SigMatchGetLastSM(sig->sm_lists[DETECT_SM_LIST_MATCH], DETECT_THRESHOLD);
+    m = SigMatchGetLastSM(sig->sm_lists[DETECT_SM_LIST_THRESHOLD], DETECT_THRESHOLD);
 
     if(m != NULL)   {
         de = (DetectThresholdData *)m->ctx;
@@ -1420,7 +1420,7 @@ int SCThresholdConfTest07(void)
     fd = SCThresholdConfGenerateValidDummyFD05();
     SCThresholdConfInitContext(de_ctx,fd);
 
-    m = SigMatchGetLastSM(sig->sm_lists[DETECT_SM_LIST_MATCH], DETECT_DETECTION_FILTER);
+    m = SigMatchGetLastSM(sig->sm_lists[DETECT_SM_LIST_THRESHOLD], DETECT_DETECTION_FILTER);
 
     if(m != NULL)   {
         de = (DetectThresholdData *)m->ctx;
@@ -1465,7 +1465,7 @@ int SCThresholdConfTest08(void)
     fd = SCThresholdConfGenerateValidDummyFD06();
     SCThresholdConfInitContext(de_ctx,fd);
 
-    m = SigMatchGetLastSM(sig->sm_lists[DETECT_SM_LIST_MATCH], DETECT_DETECTION_FILTER);
+    m = SigMatchGetLastSM(sig->sm_lists[DETECT_SM_LIST_THRESHOLD], DETECT_DETECTION_FILTER);
 
     if(m != NULL)   {
         de = (DetectThresholdData *)m->ctx;
@@ -1930,7 +1930,7 @@ int SCThresholdConfTest13(void)
     fd = SCThresholdConfGenerateValidDummyFD11();
     SCThresholdConfInitContext(de_ctx,fd);
 
-    m = SigMatchGetLastSM(sig->sm_lists[DETECT_SM_LIST_MATCH], DETECT_THRESHOLD);
+    m = SigMatchGetLastSM(sig->sm_lists[DETECT_SM_LIST_THRESHOLD], DETECT_THRESHOLD);
 
     if(m != NULL)   {
         de = (DetectThresholdData *)m->ctx;