diff --git a/src/detect-engine-threshold.c b/src/detect-engine-threshold.c index 1ebc3e4043..900e6b0a00 100644 --- a/src/detect-engine-threshold.c +++ b/src/detect-engine-threshold.c @@ -465,13 +465,13 @@ int ThresholdHandlePacketHost(Host *h, Packet *p, DetectThresholdData *td, uint3 } case TYPE_SUPPRESS: { - int res = 0; + DetectAddress *m = NULL; switch (td->track) { case TRACK_DST: - res = DetectAddressMatch(td->addr, &p->dst); + m = DetectAddressLookupInHead(&td->addrs, &p->dst); break; case TRACK_SRC: - res = DetectAddressMatch(td->addr, &p->src); + m = DetectAddressLookupInHead(&td->addrs, &p->src); break; case TRACK_RULE: default: @@ -479,7 +479,7 @@ int ThresholdHandlePacketHost(Host *h, Packet *p, DetectThresholdData *td, uint3 "track mode %d is not supported", td->track); break; } - if (res == 0) + if (m == NULL) ret = 1; else ret = 2; /* suppressed but still need actions */ diff --git a/src/detect-threshold.c b/src/detect-threshold.c index 5c83ee4d47..236b6bf627 100644 --- a/src/detect-threshold.c +++ b/src/detect-threshold.c @@ -286,7 +286,7 @@ static void DetectThresholdFree(void *de_ptr) { DetectThresholdData *de = (DetectThresholdData *)de_ptr; if (de) { - DetectAddressFree(de->addr); + DetectAddressHeadCleanup(&de->addrs); SCFree(de); } } diff --git a/src/detect-threshold.h b/src/detect-threshold.h index 3306094bee..fd8c93117f 100644 --- a/src/detect-threshold.h +++ b/src/detect-threshold.h @@ -60,7 +60,7 @@ typedef struct DetectThresholdData_ { uint8_t new_action; /**< new_action alert|drop|pass|log|sdrop|reject */ uint32_t timeout; /**< timeout */ uint32_t flags; /**< flags used to set option */ - DetectAddress* addr; /**< address group used by suppress keyword */ + DetectAddressHead addrs; } DetectThresholdData; typedef struct DetectThresholdEntry_ { diff --git a/src/util-threshold-config.c b/src/util-threshold-config.c index 25be3d7931..5ee84c55a3 100644 --- a/src/util-threshold-config.c +++ b/src/util-threshold-config.c @@ -73,7 +73,7 @@ typedef enum ThresholdRuleType { * suppress gen_id 1, sig_id 2000328 * suppress gen_id 1, sig_id 2000328, track by_src, ip fe80::/10 */ -#define DETECT_SUPPRESS_REGEX "^,\\s*track\\s*(by_dst|by_src)\\s*,\\s*ip\\s*([\\da-fA-F.:/]+)*\\s*$" +#define DETECT_SUPPRESS_REGEX "^,\\s*track\\s*(by_dst|by_src)\\s*,\\s*ip\\s*([\\[\\],\\$\\da-zA-Z.:/_]+)*\\s*$" /* Default path for the threshold.config file */ #if defined OS_WIN32 || defined __CYGWIN__ @@ -296,16 +296,10 @@ static int SetupSuppressRule(DetectEngineCtx *de_ctx, uint32_t id, uint32_t gid, de->seconds = parsed_seconds; de->new_action = parsed_new_action; de->timeout = parsed_timeout; - de->addr = NULL; if (parsed_track != TRACK_RULE) { - de->addr = DetectAddressInit(); - if (de->addr == NULL) { - SCLogError(SC_ERR_MEM_ALLOC, "Can't init DetectAddress"); - goto error; - } - if (DetectAddressParseString(de->addr, (char *)th_ip) < 0) { - SCLogError(SC_ERR_INVALID_IP_NETBLOCK, "Can't add %s to address group", th_ip); + if (DetectAddressParse((const DetectEngineCtx *)de_ctx, &de->addrs, (char *)th_ip) != 0) { + SCLogError(SC_ERR_INVALID_IP_NETBLOCK, "failed to parse %s", th_ip); goto error; } } @@ -347,16 +341,10 @@ static int SetupSuppressRule(DetectEngineCtx *de_ctx, uint32_t id, uint32_t gid, de->seconds = parsed_seconds; de->new_action = parsed_new_action; de->timeout = parsed_timeout; - de->addr = NULL; if (parsed_track != TRACK_RULE) { - de->addr = DetectAddressInit(); - if (de->addr == NULL) { - SCLogError(SC_ERR_MEM_ALLOC, "Can't init DetectAddress"); - goto error; - } - if (DetectAddressParseString(de->addr, (char *)th_ip) < 0) { - SCLogError(SC_ERR_INVALID_IP_NETBLOCK, "Can't add %s to address group", th_ip); + if (DetectAddressParse((const DetectEngineCtx *)de_ctx, &de->addrs, (char *)th_ip) != 0) { + SCLogError(SC_ERR_INVALID_IP_NETBLOCK, "failed to parse %s", th_ip); goto error; } } @@ -400,13 +388,8 @@ static int SetupSuppressRule(DetectEngineCtx *de_ctx, uint32_t id, uint32_t gid, de->new_action = parsed_new_action; de->timeout = parsed_timeout; - de->addr = DetectAddressInit(); - if (de->addr == NULL) { - SCLogError(SC_ERR_MEM_ALLOC, "Can't init DetectAddress"); - goto error; - } - if (DetectAddressParseString(de->addr, (char *)th_ip) < 0) { - SCLogError(SC_ERR_INVALID_IP_NETBLOCK, "Can't add %s to address group", th_ip); + if (DetectAddressParse((const DetectEngineCtx *)de_ctx, &de->addrs, (char *)th_ip) != 0) { + SCLogError(SC_ERR_INVALID_IP_NETBLOCK, "failed to parse %s", th_ip); goto error; } @@ -427,8 +410,7 @@ end: return 0; error: if (de != NULL) { - if (de->addr != NULL) - DetectAddressFree(de->addr); + DetectAddressHeadCleanup(&de->addrs); SCFree(de); } return -1; @@ -485,7 +467,6 @@ static int SetupThresholdRule(DetectEngineCtx *de_ctx, uint32_t id, uint32_t gid de->seconds = parsed_seconds; de->new_action = parsed_new_action; de->timeout = parsed_timeout; - de->addr = NULL; sm = SigMatchAlloc(); if (sm == NULL) { @@ -549,7 +530,6 @@ static int SetupThresholdRule(DetectEngineCtx *de_ctx, uint32_t id, uint32_t gid de->seconds = parsed_seconds; de->new_action = parsed_new_action; de->timeout = parsed_timeout; - de->addr = NULL; sm = SigMatchAlloc(); if (sm == NULL) { @@ -640,7 +620,6 @@ static int SetupThresholdRule(DetectEngineCtx *de_ctx, uint32_t id, uint32_t gid de->seconds = parsed_seconds; de->new_action = parsed_new_action; de->timeout = parsed_timeout; - de->addr = NULL; sm = SigMatchAlloc(); if (sm == NULL) { @@ -675,8 +654,7 @@ end: return 0; error: if (de != NULL) { - if (de->addr != NULL) - DetectAddressFree(de->addr); + DetectAddressHeadCleanup(&de->addrs); SCFree(de); } return -1;