aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

bug #455 - Warn users on signature event vars having precedence over threshold.conf ones

Browse Source
remotes/origin/HEAD
Anoop Saldanha 13 years ago committed by Victor Julien
parent ab421978f0
commit cde31abe96
3 changed files with 43 additions and 7 deletions
Show Stats Download Patch File Download Diff File

2
src/util-error.c
Unescape Escape View File

@ -230,7 +230,7 @@ const char * SCErrorToString(SCError err)
CASE_CODE (SC_ERR_MEM_BUFFER_API);
CASE_CODE (SC_ERR_INVALID_MD5);
CASE_CODE (SC_ERR_NO_MD5_SUPPORT);
CASE_CODE (SC_ERR_EVENT_ENGINE);
default:
return "UNKNOWN_ERROR";
}

1
src/util-error.h
Unescape Escape View File

@ -244,6 +244,7 @@ typedef enum {
SC_ERR_MEM_BUFFER_API,
SC_ERR_INVALID_MD5,
SC_ERR_NO_MD5_SUPPORT,
SC_ERR_EVENT_ENGINE,
} SCError;
const char *SCErrorToString(SCError);

47
src/util-threshold-config.c
Unescape Escape View File

@ -560,14 +560,24 @@ int SCThresholdConfAddThresholdtype(char *rawstr, DetectEngineCtx *de_ctx)
m = SigMatchGetLastSMFromLists(s, 2,
DETECT_THRESHOLD, s->sm_lists[DETECT_SM_LIST_THRESHOLD]);
if(m != NULL)
if (m != NULL) {
SCLogWarning(SC_ERR_EVENT_ENGINE, "signature sid:%"PRIu32 " has "
"an event var set. The signature event var is "
"given precedence over the threshold.conf one. "
"We'll change this in the future though.", id);
goto end;
}
m = SigMatchGetLastSMFromLists(s, 2,
DETECT_DETECTION_FILTER, s->sm_lists[DETECT_SM_LIST_THRESHOLD]);
if(m != NULL)
if (m != NULL) {
SCLogWarning(SC_ERR_EVENT_ENGINE, "signature sid:%"PRIu32 " has "
"an event var set. The signature event var is "
"given precedence over the threshold.conf one. "
"We'll change this in the future though.", id);
goto end;
}
de = SCMalloc(sizeof(DetectThresholdData));
if (de == NULL)
@ -631,14 +641,24 @@ int SCThresholdConfAddThresholdtype(char *rawstr, DetectEngineCtx *de_ctx)
m = SigMatchGetLastSMFromLists(s, 2,
DETECT_THRESHOLD, s->sm_lists[DETECT_SM_LIST_THRESHOLD]);
if(m != NULL)
if (m != NULL) {
SCLogWarning(SC_ERR_EVENT_ENGINE, "signature sid:%"PRIu32 " has "
"an event var set. The signature event var is "
"given precedence over the threshold.conf one. "
"We'll change this in the future though.", id);
goto end;
}
m = SigMatchGetLastSMFromLists(s, 2,
DETECT_DETECTION_FILTER, s->sm_lists[DETECT_SM_LIST_THRESHOLD]);
if(m != NULL)
if (m != NULL) {
SCLogWarning(SC_ERR_EVENT_ENGINE, "signature sid:%"PRIu32 " has "
"an event var set. The signature event var is "
"given precedence over the threshold.conf one. "
"We'll change this in the future though.", id);
goto end;
}
de = SCMalloc(sizeof(DetectThresholdData));
if (de == NULL)
@ -692,6 +712,11 @@ int SCThresholdConfAddThresholdtype(char *rawstr, DetectEngineCtx *de_ctx)
}
s = ns;
}
} else if (id > 0 && gid == 0) {
SCLogError(SC_ERR_INVALID_VALUE, "Can't use a event config that has "
"sid > 0 and gid == 0. Killing engine. Please fix this "
"in your threshold.conf file");
exit(EXIT_FAILURE);
} else {
sig = SigFindSignatureBySidGid(de_ctx,id,gid);
@ -704,14 +729,24 @@ int SCThresholdConfAddThresholdtype(char *rawstr, DetectEngineCtx *de_ctx)
m = SigMatchGetLastSMFromLists(sig, 2,
DETECT_THRESHOLD, sig->sm_lists[DETECT_SM_LIST_THRESHOLD]);
if(m != NULL)
if (m != NULL) {
SCLogWarning(SC_ERR_EVENT_ENGINE, "signature sid:%"PRIu32 " has "
"an event var set. The signature event var is "
"given precedence over the threshold.conf one. "
"We'll change this in the future though.", id);
goto end;
}
m = SigMatchGetLastSMFromLists(sig, 2,
DETECT_DETECTION_FILTER, sig->sm_lists[DETECT_SM_LIST_THRESHOLD]);
if(m != NULL)
if (m != NULL) {
SCLogWarning(SC_ERR_EVENT_ENGINE, "signature sid:%"PRIu32 " has "
"an event var set. The signature event var is "
"given precedence over the threshold.conf one. "
"We'll change this in the future though.", id);
goto end;
}
de = SCMalloc(sizeof(DetectThresholdData));
if (de == NULL)

Write Preview
Loading…
Cancel
Save