suricata
detect-engine-threshold.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2015 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \defgroup threshold Thresholding
20  *
21  * This feature is used to reduce the number of logged alerts for noisy rules.
22  * This can be tuned to significantly reduce false alarms, and it can also be
23  * used to write a newer breed of rules. Thresholding commands limit the number
24  * of times a particular event is logged during a specified time interval.
25  *
26  * @{
27  */
28 
29 /**
30  * \file
31  *
32  * \author Breno Silva <breno.silva@gmail.com>
33  * \author Victor Julien <victor@inliniac.net>
34  *
35  * Threshold part of the detection engine.
36  */
37 
38 #include "suricata-common.h"
39 #include "debug.h"
40 #include "detect.h"
41 #include "flow.h"
42 
43 #include "host.h"
44 #include "host-storage.h"
45 
46 #include "ippair.h"
47 #include "ippair-storage.h"
48 
49 #include "detect-parse.h"
50 #include "detect-engine-sigorder.h"
51 
52 #include "detect-engine-siggroup.h"
53 #include "detect-engine-address.h"
54 #include "detect-engine-port.h"
55 #include "detect-engine-mpm.h"
56 #include "detect-engine-iponly.h"
57 
58 #include "detect-engine.h"
60 
61 #include "detect-content.h"
62 #include "detect-uricontent.h"
63 
64 #include "util-hash.h"
65 #include "util-time.h"
66 #include "util-error.h"
67 #include "util-debug.h"
68 
69 #include "util-var-name.h"
70 #include "tm-threads.h"
71 
72 static int host_threshold_id = -1; /**< host storage id for thresholds */
73 static int ippair_threshold_id = -1; /**< ip pair storage id for thresholds */
74 
76 {
77  return host_threshold_id;
78 }
79 
80 void ThresholdInit(void)
81 {
82  host_threshold_id = HostStorageRegister("threshold", sizeof(void *), NULL, ThresholdListFree);
83  if (host_threshold_id == -1) {
84  SCLogError(SC_ERR_HOST_INIT, "Can't initiate host storage for thresholding");
85  exit(EXIT_FAILURE);
86  }
87  ippair_threshold_id = IPPairStorageRegister("threshold", sizeof(void *), NULL, ThresholdListFree);
88  if (ippair_threshold_id == -1) {
89  SCLogError(SC_ERR_HOST_INIT, "Can't initiate IP pair storage for thresholding");
90  exit(EXIT_FAILURE);
91  }
92 }
93 
95 {
96  return HostGetStorageById(host, host_threshold_id) ? 1 : 0;
97 }
98 
100 {
101  return IPPairGetStorageById(pair, ippair_threshold_id) ? 1 : 0;
102 }
103 
104 /**
105  * \brief Return next DetectThresholdData for signature
106  *
107  * \param sig Signature pointer
108  * \param p Packet structure
109  * \param sm Pointer to a Signature Match pointer
110  *
111  * \retval tsh Return the threshold data from signature or NULL if not found
112  *
113  *
114  */
116  Packet *p, const SigMatchData **psm, int list)
117 {
118  const SigMatchData *smd = NULL;
119  const DetectThresholdData *tsh = NULL;
120 
121  if (sig == NULL)
122  return NULL;
123 
124  if (*psm == NULL) {
125  smd = sig->sm_arrays[list];
126  } else {
127  /* Iteration in progress, using provided value */
128  smd = *psm;
129  }
130 
131  if (p == NULL)
132  return NULL;
133 
134  while (1) {
135  if (smd->type == DETECT_THRESHOLD ||
137  {
138  tsh = (DetectThresholdData *)smd->ctx;
139 
140  if (smd->is_last) {
141  *psm = NULL;
142  } else {
143  *psm = smd + 1;
144  }
145  return tsh;
146  }
147 
148  if (smd->is_last) {
149  break;
150  }
151  smd++;
152  }
153  *psm = NULL;
154  return NULL;
155 }
156 
157 /**
158  * \brief Remove timeout threshold hash elements
159  *
160  * \param head Current head element of storage
161  * \param tv Current time
162  *
163  * \retval DetectThresholdEntry Return new head element or NULL if all expired
164  *
165  */
166 
167 static DetectThresholdEntry* ThresholdTimeoutCheck(DetectThresholdEntry *head, struct timeval *tv)
168 {
169  DetectThresholdEntry *tmp = head;
170  DetectThresholdEntry *prev = NULL;
171  DetectThresholdEntry *new_head = head;
172 
173  while (tmp != NULL) {
174  /* check if the 'check' timestamp is not before the creation ts.
175  * This can happen due to the async nature of the host timeout
176  * code that also calls this code from a management thread. */
177  if (((uint32_t)tv->tv_sec < tmp->tv_sec1) || (tv->tv_sec - tmp->tv_sec1) <= tmp->seconds) {
178  prev = tmp;
179  tmp = tmp->next;
180  continue;
181  }
182 
183  /* timed out */
184 
185  DetectThresholdEntry *tde = tmp;
186  if (prev != NULL) {
187  prev->next = tmp->next;
188  }
189  else {
190  new_head = tmp->next;
191  }
192  tmp = tde->next;
193  SCFree(tde);
194  }
195 
196  return new_head;
197 }
198 
199 int ThresholdHostTimeoutCheck(Host *host, struct timeval *tv)
200 {
201  DetectThresholdEntry* head = HostGetStorageById(host, host_threshold_id);
202  DetectThresholdEntry* new_head = ThresholdTimeoutCheck(head, tv);
203  if (new_head != head) {
204  HostSetStorageById(host, host_threshold_id, new_head);
205  }
206  return new_head == NULL;
207 }
208 
209 
210 int ThresholdIPPairTimeoutCheck(IPPair *pair, struct timeval *tv)
211 {
212  DetectThresholdEntry* head = IPPairGetStorageById(pair, ippair_threshold_id);
213  DetectThresholdEntry* new_head = ThresholdTimeoutCheck(head, tv);
214  if (new_head != head) {
215  IPPairSetStorageById(pair, ippair_threshold_id, new_head);
216  }
217  return new_head == NULL;
218 }
219 
220 static DetectThresholdEntry *
221 DetectThresholdEntryAlloc(const DetectThresholdData *td, Packet *p,
222  uint32_t sid, uint32_t gid)
223 {
224  SCEnter();
225 
227  if (unlikely(ste == NULL)) {
228  SCReturnPtr(NULL, "DetectThresholdEntry");
229  }
230 
231  ste->sid = sid;
232  ste->gid = gid;
233  ste->track = td->track;
234  ste->seconds = td->seconds;
235 
236  SCReturnPtr(ste, "DetectThresholdEntry");
237 }
238 
239 static DetectThresholdEntry *ThresholdHostLookupEntry(Host *h,
240  uint32_t sid, uint32_t gid)
241 {
243 
244  for (e = HostGetStorageById(h, host_threshold_id); e != NULL; e = e->next) {
245  if (e->sid == sid && e->gid == gid)
246  break;
247  }
248 
249  return e;
250 }
251 
252 static DetectThresholdEntry *ThresholdIPPairLookupEntry(IPPair *pair,
253  uint32_t sid, uint32_t gid)
254 {
256 
257  for (e = IPPairGetStorageById(pair, ippair_threshold_id); e != NULL; e = e->next) {
258  if (e->sid == sid && e->gid == gid)
259  break;
260  }
261 
262  return e;
263 }
264 
265 static int ThresholdHandlePacketSuppress(Packet *p,
266  const DetectThresholdData *td, uint32_t sid, uint32_t gid)
267 {
268  int ret = 0;
269  DetectAddress *m = NULL;
270  switch (td->track) {
271  case TRACK_DST:
272  m = DetectAddressLookupInHead(&td->addrs, &p->dst);
273  SCLogDebug("TRACK_DST");
274  break;
275  case TRACK_SRC:
276  m = DetectAddressLookupInHead(&td->addrs, &p->src);
277  SCLogDebug("TRACK_SRC");
278  break;
279  /* suppress if either src or dst is a match on the suppress
280  * address list */
281  case TRACK_EITHER:
282  m = DetectAddressLookupInHead(&td->addrs, &p->src);
283  if (m == NULL) {
284  m = DetectAddressLookupInHead(&td->addrs, &p->dst);
285  }
286  break;
287  case TRACK_RULE:
288  default:
290  "track mode %d is not supported", td->track);
291  break;
292  }
293  if (m == NULL)
294  ret = 1;
295  else
296  ret = 2; /* suppressed but still need actions */
297 
298  return ret;
299 }
300 
301 static inline void RateFilterSetAction(Packet *p, PacketAlert *pa, uint8_t new_action)
302 {
303  switch (new_action) {
304  case TH_ACTION_ALERT:
305  PACKET_ALERT(p);
307  break;
308  case TH_ACTION_DROP:
309  PACKET_DROP(p);
311  break;
312  case TH_ACTION_REJECT:
313  PACKET_REJECT(p);
315  break;
316  case TH_ACTION_PASS:
317  PACKET_PASS(p);
319  break;
320  default:
321  /* Weird, leave the default action */
322  break;
323  }
324 }
325 
326 /**
327 * \brief Check if the entry reached threshold count limit
328 *
329 * \param lookup_tsh Current threshold entry
330 * \param td Threshold settings
331 * \param packet_time used to compare against previous detection and to set timeouts
332 *
333 * \retval int 1 if threshold reached for this entry
334 *
335 */
336 static int IsThresholdReached(DetectThresholdEntry* lookup_tsh, const DetectThresholdData *td, uint32_t packet_time)
337 {
338  int ret = 0;
339 
340  /* Check if we have a timeout enabled, if so,
341  * we still matching (and enabling the new_action) */
342  if (lookup_tsh->tv_timeout != 0) {
343  if ((packet_time - lookup_tsh->tv_timeout) > td->timeout) {
344  /* Ok, we are done, timeout reached */
345  lookup_tsh->tv_timeout = 0;
346  }
347  else {
348  /* Already matching */
349  ret = 1;
350  } /* else - if ((packet_time - lookup_tsh->tv_timeout) > td->timeout) */
351 
352  }
353  else {
354  /* Update the matching state with the timeout interval */
355  if ((packet_time - lookup_tsh->tv_sec1) < td->seconds) {
356  lookup_tsh->current_count++;
357  if (lookup_tsh->current_count > td->count) {
358  /* Then we must enable the new action by setting a
359  * timeout */
360  lookup_tsh->tv_timeout = packet_time;
361  ret = 1;
362  }
363  }
364  else {
365  lookup_tsh->tv_sec1 = packet_time;
366  lookup_tsh->current_count = 1;
367  }
368  } /* else - if (lookup_tsh->tv_timeout != 0) */
369 
370  return ret;
371 }
372 
373 static void AddEntryToHostStorage(Host *h, DetectThresholdEntry *e, uint32_t packet_time)
374 {
375  if (h && e) {
376  e->current_count = 1;
377  e->tv_sec1 = packet_time;
378  e->tv_timeout = 0;
379  e->next = HostGetStorageById(h, host_threshold_id);
380  HostSetStorageById(h, host_threshold_id, e);
381  }
382 }
383 
384 static void AddEntryToIPPairStorage(IPPair *pair, DetectThresholdEntry *e, uint32_t packet_time)
385 {
386  if (pair && e) {
387  e->current_count = 1;
388  e->tv_sec1 = packet_time;
389  e->tv_timeout = 0;
390  e->next = IPPairGetStorageById(pair, ippair_threshold_id);
391  IPPairSetStorageById(pair, ippair_threshold_id, e);
392  }
393 }
394 
395 static int ThresholdHandlePacketIPPair(IPPair *pair, Packet *p, const DetectThresholdData *td,
396  uint32_t sid, uint32_t gid, PacketAlert *pa)
397 {
398  int ret = 0;
399 
400  DetectThresholdEntry *lookup_tsh = ThresholdIPPairLookupEntry(pair, sid, gid);
401  SCLogDebug("ippair lookup_tsh %p sid %u gid %u", lookup_tsh, sid, gid);
402 
403  switch (td->type) {
404  case TYPE_RATE:
405  {
406  SCLogDebug("rate_filter");
407  ret = 1;
408  if (lookup_tsh && IsThresholdReached(lookup_tsh, td, p->ts.tv_sec)) {
409  RateFilterSetAction(p, pa, td->new_action);
410  } else if (!lookup_tsh) {
411  DetectThresholdEntry *e = DetectThresholdEntryAlloc(td, p, sid, gid);
412  AddEntryToIPPairStorage(pair, e, p->ts.tv_sec);
413  }
414  break;
415  }
416  default:
417  {
418  SCLogError(SC_ERR_INVALID_VALUE, "type %d is not supported", td->type);
419  break;
420  }
421  }
422 
423  return ret;
424 }
425 
426 /**
427  * \retval 2 silent match (no alert but apply actions)
428  * \retval 1 normal match
429  * \retval 0 no match
430  */
431 static int ThresholdHandlePacketHost(Host *h, Packet *p, const DetectThresholdData *td,
432  uint32_t sid, uint32_t gid, PacketAlert *pa)
433 {
434  int ret = 0;
435 
436  DetectThresholdEntry *lookup_tsh = ThresholdHostLookupEntry(h, sid, gid);
437  SCLogDebug("lookup_tsh %p sid %u gid %u", lookup_tsh, sid, gid);
438 
439  switch(td->type) {
440  case TYPE_LIMIT:
441  {
442  SCLogDebug("limit");
443 
444  if (lookup_tsh != NULL) {
445  if ((p->ts.tv_sec - lookup_tsh->tv_sec1) < td->seconds) {
446  lookup_tsh->current_count++;
447 
448  if (lookup_tsh->current_count <= td->count) {
449  ret = 1;
450  } else {
451  ret = 2;
452  }
453  } else {
454  lookup_tsh->tv_sec1 = p->ts.tv_sec;
455  lookup_tsh->current_count = 1;
456 
457  ret = 1;
458  }
459  } else {
460  DetectThresholdEntry *e = DetectThresholdEntryAlloc(td, p, sid, gid);
461  if (e == NULL) {
462  break;
463  }
464 
465  e->tv_sec1 = p->ts.tv_sec;
466  e->current_count = 1;
467 
468  ret = 1;
469 
470  e->next = HostGetStorageById(h, host_threshold_id);
471  HostSetStorageById(h, host_threshold_id, e);
472  }
473  break;
474  }
475  case TYPE_THRESHOLD:
476  {
477  SCLogDebug("threshold");
478 
479  if (lookup_tsh != NULL) {
480  if ((p->ts.tv_sec - lookup_tsh->tv_sec1) < td->seconds) {
481  lookup_tsh->current_count++;
482 
483  if (lookup_tsh->current_count >= td->count) {
484  ret = 1;
485  lookup_tsh->current_count = 0;
486  }
487  } else {
488  lookup_tsh->tv_sec1 = p->ts.tv_sec;
489  lookup_tsh->current_count = 1;
490  }
491  } else {
492  if (td->count == 1) {
493  ret = 1;
494  } else {
495  DetectThresholdEntry *e = DetectThresholdEntryAlloc(td, p, sid, gid);
496  if (e == NULL) {
497  break;
498  }
499 
500  e->current_count = 1;
501  e->tv_sec1 = p->ts.tv_sec;
502 
503  e->next = HostGetStorageById(h, host_threshold_id);
504  HostSetStorageById(h, host_threshold_id, e);
505  }
506  }
507  break;
508  }
509  case TYPE_BOTH:
510  {
511  SCLogDebug("both");
512 
513  if (lookup_tsh != NULL) {
514  if ((p->ts.tv_sec - lookup_tsh->tv_sec1) < td->seconds) {
515  /* within time limit */
516 
517  lookup_tsh->current_count++;
518  if (lookup_tsh->current_count == td->count) {
519  ret = 1;
520  } else if (lookup_tsh->current_count > td->count) {
521  /* silent match */
522  ret = 2;
523  }
524  } else {
525  /* expired, so reset */
526  lookup_tsh->tv_sec1 = p->ts.tv_sec;
527  lookup_tsh->current_count = 1;
528 
529  /* if we have a limit of 1, this is a match */
530  if (lookup_tsh->current_count == td->count) {
531  ret = 1;
532  }
533  }
534  } else {
535  DetectThresholdEntry *e = DetectThresholdEntryAlloc(td, p, sid, gid);
536  if (e == NULL) {
537  break;
538  }
539 
540  e->current_count = 1;
541  e->tv_sec1 = p->ts.tv_sec;
542 
543  e->next = HostGetStorageById(h, host_threshold_id);
544  HostSetStorageById(h, host_threshold_id, e);
545 
546  /* for the first match we return 1 to
547  * indicate we should alert */
548  if (td->count == 1) {
549  ret = 1;
550  }
551  }
552  break;
553  }
554  /* detection_filter */
555  case TYPE_DETECTION:
556  {
557  SCLogDebug("detection_filter");
558 
559  if (lookup_tsh != NULL) {
560  long double time_diff = ((p->ts.tv_sec + p->ts.tv_usec/1000000.0) -
561  (lookup_tsh->tv_sec1 + lookup_tsh->tv_usec1/1000000.0));
562 
563  if (time_diff < td->seconds) {
564  /* within timeout */
565 
566  lookup_tsh->current_count++;
567  if (lookup_tsh->current_count > td->count) {
568  ret = 1;
569  }
570  } else {
571  /* expired, reset */
572 
573  lookup_tsh->tv_sec1 = p->ts.tv_sec;
574  lookup_tsh->tv_usec1 = p->ts.tv_usec;
575  lookup_tsh->current_count = 1;
576  }
577  } else {
578  DetectThresholdEntry *e = DetectThresholdEntryAlloc(td, p, sid, gid);
579  if (e == NULL) {
580  break;
581  }
582 
583  e->current_count = 1;
584  e->tv_sec1 = p->ts.tv_sec;
585  e->tv_usec1 = p->ts.tv_usec;
586 
587  e->next = HostGetStorageById(h, host_threshold_id);
588  HostSetStorageById(h, host_threshold_id, e);
589  }
590  break;
591  }
592  /* rate_filter */
593  case TYPE_RATE:
594  {
595  SCLogDebug("rate_filter");
596  ret = 1;
597  if (lookup_tsh && IsThresholdReached(lookup_tsh, td, p->ts.tv_sec)) {
598  RateFilterSetAction(p, pa, td->new_action);
599  } else if (!lookup_tsh) {
600  DetectThresholdEntry *e = DetectThresholdEntryAlloc(td, p, sid, gid);
601  AddEntryToHostStorage(h, e, p->ts.tv_sec);
602  }
603  break;
604  }
605  /* case TYPE_SUPPRESS: is not handled here */
606  default:
607  SCLogError(SC_ERR_INVALID_VALUE, "type %d is not supported", td->type);
608  }
609 
610  return ret;
611 }
612 
613 static int ThresholdHandlePacketRule(DetectEngineCtx *de_ctx, Packet *p,
614  const DetectThresholdData *td, const Signature *s, PacketAlert *pa)
615 {
616  int ret = 0;
617 
618  DetectThresholdEntry* lookup_tsh = (DetectThresholdEntry *)de_ctx->ths_ctx.th_entry[s->num];
619  SCLogDebug("by_rule lookup_tsh %p num %u", lookup_tsh, s->num);
620 
621  switch (td->type) {
622  case TYPE_RATE:
623  {
624  ret = 1;
625  if (lookup_tsh && IsThresholdReached(lookup_tsh, td, p->ts.tv_sec)) {
626  RateFilterSetAction(p, pa, td->new_action);
627  }
628  else if (!lookup_tsh) {
629  DetectThresholdEntry *e = DetectThresholdEntryAlloc(td, p, s->id, s->gid);
630  if (e != NULL) {
631  e->current_count = 1;
632  e->tv_sec1 = p->ts.tv_sec;
633  e->tv_timeout = 0;
634 
635  de_ctx->ths_ctx.th_entry[s->num] = e;
636  }
637  }
638  break;
639  }
640  default:
641  {
642  SCLogError(SC_ERR_INVALID_VALUE, "type %d is not supported", td->type);
643  break;
644  }
645  }
646 
647  return ret;
648 }
649 
650 /**
651  * \brief Make the threshold logic for signatures
652  *
653  * \param de_ctx Dectection Context
654  * \param tsh_ptr Threshold element
655  * \param p Packet structure
656  * \param s Signature structure
657  *
658  * \retval 2 silent match (no alert but apply actions)
659  * \retval 1 alert on this event
660  * \retval 0 do not alert on this event
661  */
663  const DetectThresholdData *td, Packet *p, const Signature *s, PacketAlert *pa)
664 {
665  SCEnter();
666 
667  int ret = 0;
668  if (td == NULL) {
669  SCReturnInt(0);
670  }
671 
672  if (td->type == TYPE_SUPPRESS) {
673  ret = ThresholdHandlePacketSuppress(p,td,s->id,s->gid);
674  } else if (td->track == TRACK_SRC) {
676  if (src) {
677  ret = ThresholdHandlePacketHost(src,p,td,s->id,s->gid,pa);
678  HostRelease(src);
679  }
680  } else if (td->track == TRACK_DST) {
682  if (dst) {
683  ret = ThresholdHandlePacketHost(dst,p,td,s->id,s->gid,pa);
684  HostRelease(dst);
685  }
686  } else if (td->track == TRACK_BOTH) {
687  IPPair *pair = IPPairGetIPPairFromHash(&p->src, &p->dst);
688  if (pair) {
689  ret = ThresholdHandlePacketIPPair(pair, p, td, s->id, s->gid, pa);
690  IPPairRelease(pair);
691  }
692  } else if (td->track == TRACK_RULE) {
694  ret = ThresholdHandlePacketRule(de_ctx,p,td,s,pa);
696  }
697 
698  SCReturnInt(ret);
699 }
700 
701 /**
702  * \brief Init threshold context hash tables
703  *
704  * \param de_ctx Dectection Context
705  *
706  */
708 {
709  if (SCMutexInit(&de_ctx->ths_ctx.threshold_table_lock, NULL) != 0) {
711  "Threshold: Failed to initialize hash table mutex.");
712  exit(EXIT_FAILURE);
713  }
714 }
715 
716 /**
717  * \brief Destroy threshold context hash tables
718  *
719  * \param de_ctx Dectection Context
720  *
721  */
723 {
724  if (de_ctx->ths_ctx.th_entry != NULL)
725  SCFree(de_ctx->ths_ctx.th_entry);
727 }
728 
729 /**
730  * \brief this function will free all the entries of a list
731  * DetectTagDataEntry
732  *
733  * \param td pointer to DetectTagDataEntryList
734  */
735 void ThresholdListFree(void *ptr)
736 {
737  if (ptr != NULL) {
738  DetectThresholdEntry *entry = ptr;
739 
740  while (entry != NULL) {
741  DetectThresholdEntry *next_entry = entry->next;
742  SCFree(entry);
743  entry = next_entry;
744  }
745  }
746 }
747 
748 /**
749  * @}
750  */
int ThresholdIPPairHasThreshold(IPPair *pair)
int IPPairStorageRegister(const char *name, const unsigned int size, void *(*Alloc)(unsigned int), void(*Free)(void *))
void HostRelease(Host *h)
Definition: host.c:475
void ThresholdHashInit(DetectEngineCtx *de_ctx)
Init threshold context hash tables.
#define SCLogDebug(...)
Definition: util-debug.h:335
#define TH_ACTION_REJECT
#define TRACK_DST
uint32_t id
Definition: detect.h:529
#define unlikely(expr)
Definition: util-optimize.h:35
uint8_t is_last
Definition: detect.h:333
#define TYPE_RATE
int HostSetStorageById(Host *h, int id, void *ptr)
Store a pointer in a given Host storage.
Definition: host-storage.c:71
address structure for use in the detection engine.
Definition: detect.h:142
const DetectThresholdData * SigGetThresholdTypeIter(const Signature *sig, Packet *p, const SigMatchData **psm, int list)
Return next DetectThresholdData for signature.
Address dst
Definition: decode.h:411
Data needed for Match()
Definition: detect.h:331
int ThresholdIPPairTimeoutCheck(IPPair *pair, struct timeval *tv)
IPPair * IPPairGetIPPairFromHash(Address *a, Address *b)
Definition: ippair.c:544
void ThresholdListFree(void *ptr)
this function will free all the entries of a list DetectTagDataEntry
uint16_t src
Flow * head
Definition: flow-hash.h:102
#define PACKET_REJECT(p)
Definition: decode.h:852
Signature container.
Definition: detect.h:496
#define SCMutexLock(mut)
SigIntId num
Definition: detect.h:506
#define TH_ACTION_PASS
main detection engine ctx
Definition: detect.h:724
SCMutex threshold_table_lock
Definition: detect.h:676
void * HostGetStorageById(Host *h, int id)
Get a value from a given Host storage.
Definition: host-storage.c:84
uint16_t dst
#define SCCalloc(nm, a)
Definition: util-mem.h:197
#define SCMutexUnlock(mut)
#define TYPE_THRESHOLD
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:294
int HostStorageRegister(const char *name, const unsigned int size, void *(*Alloc)(unsigned int), void(*Free)(void *))
Register a Host storage.
Definition: host-storage.c:59
#define TH_ACTION_DROP
#define SCEnter(...)
Definition: util-debug.h:337
SigMatchData * sm_arrays[DETECT_SM_LIST_MAX]
Definition: detect.h:548
Definition: ippair.h:58
#define TYPE_BOTH
DetectAddressHead addrs
#define TYPE_LIMIT
int ThresholdHostHasThreshold(Host *host)
#define SCMutexInit(mut, mutattrs)
int ThresholdHostTimeoutCheck(Host *host, struct timeval *tv)
uint32_t gid
Definition: detect.h:530
#define SCReturnInt(x)
Definition: util-debug.h:341
Host * HostGetHostFromHash(Address *a)
Definition: host.c:500
#define TRACK_BOTH
#define TYPE_SUPPRESS
struct DetectThresholdEntry_ * next
DetectAddress * DetectAddressLookupInHead(const DetectAddressHead *gh, Address *a)
Find the group matching address in a group head.
void * IPPairGetStorageById(IPPair *h, int id)
#define PACKET_DROP(p)
Definition: decode.h:850
int PacketAlertThreshold(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectThresholdData *td, Packet *p, const Signature *s, PacketAlert *pa)
Make the threshold logic for signatures.
int IPPairSetStorageById(IPPair *h, int id, void *ptr)
uint8_t type
Definition: detect.h:332
#define SCFree(a)
Definition: util-mem.h:228
#define PACKET_PASS(p)
Definition: decode.h:858
Definition: host.h:58
uint8_t flags
Definition: decode.h:270
#define TRACK_SRC
#define TH_ACTION_ALERT
ThresholdCtx ths_ctx
Definition: detect.h:771
#define SCReturnPtr(x, type)
Definition: util-debug.h:353
SCMutex m
Definition: flow-hash.h:105
DetectThresholdEntry ** th_entry
Definition: detect.h:679
#define PACKET_ALERT(p)
Definition: decode.h:846
void ThresholdInit(void)
void ThresholdContextDestroy(DetectEngineCtx *de_ctx)
Destroy threshold context hash tables.
struct timeval ts
Definition: decode.h:449
#define PACKET_ALERT_RATE_FILTER_MODIFIED
Definition: decode.h:286
#define TRACK_EITHER
void IPPairRelease(IPPair *h)
Definition: ippair.c:520
#define TRACK_RULE
#define TYPE_DETECTION
int ThresholdHostStorageId(void)
Address src
Definition: decode.h:410
SigMatchCtx * ctx
Definition: detect.h:334
#define SCMutexDestroy