suricata
detect-engine-threshold.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2015 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \defgroup threshold Thresholding
20  *
21  * This feature is used to reduce the number of logged alerts for noisy rules.
22  * This can be tuned to significantly reduce false alarms, and it can also be
23  * used to write a newer breed of rules. Thresholding commands limit the number
24  * of times a particular event is logged during a specified time interval.
25  *
26  * @{
27  */
28 
29 /**
30  * \file
31  *
32  * \author Breno Silva <breno.silva@gmail.com>
33  * \author Victor Julien <victor@inliniac.net>
34  *
35  * Threshold part of the detection engine.
36  */
37 
38 #include "suricata-common.h"
39 #include "debug.h"
40 #include "detect.h"
41 #include "flow.h"
42 
43 #include "host.h"
44 #include "host-storage.h"
45 
46 #include "ippair.h"
47 #include "ippair-storage.h"
48 
49 #include "detect-parse.h"
50 #include "detect-engine-sigorder.h"
51 
52 #include "detect-engine-siggroup.h"
53 #include "detect-engine-address.h"
54 #include "detect-engine-port.h"
55 #include "detect-engine-mpm.h"
56 #include "detect-engine-iponly.h"
57 
58 #include "detect-engine.h"
60 
61 #include "detect-content.h"
62 #include "detect-uricontent.h"
63 
64 #include "util-hash.h"
65 #include "util-time.h"
66 #include "util-error.h"
67 #include "util-debug.h"
68 
69 #include "util-var-name.h"
70 #include "tm-threads.h"
71 
72 static int host_threshold_id = -1; /**< host storage id for thresholds */
73 static int ippair_threshold_id = -1; /**< ip pair storage id for thresholds */
74 
76 {
77  return host_threshold_id;
78 }
79 
80 void ThresholdInit(void)
81 {
82  host_threshold_id = HostStorageRegister("threshold", sizeof(void *), NULL, ThresholdListFree);
83  if (host_threshold_id == -1) {
85  "Can't initiate host storage for thresholding");
86  }
87  ippair_threshold_id = IPPairStorageRegister("threshold", sizeof(void *), NULL, ThresholdListFree);
88  if (ippair_threshold_id == -1) {
90  "Can't initiate IP pair storage for thresholding");
91  }
92 }
93 
95 {
96  return HostGetStorageById(host, host_threshold_id) ? 1 : 0;
97 }
98 
100 {
101  return IPPairGetStorageById(pair, ippair_threshold_id) ? 1 : 0;
102 }
103 
104 /**
105  * \brief Return next DetectThresholdData for signature
106  *
107  * \param sig Signature pointer
108  * \param p Packet structure
109  * \param sm Pointer to a Signature Match pointer
110  *
111  * \retval tsh Return the threshold data from signature or NULL if not found
112  *
113  *
114  */
116  Packet *p, const SigMatchData **psm, int list)
117 {
118  const SigMatchData *smd = NULL;
119  const DetectThresholdData *tsh = NULL;
120 
121  if (sig == NULL)
122  return NULL;
123 
124  if (*psm == NULL) {
125  smd = sig->sm_arrays[list];
126  } else {
127  /* Iteration in progress, using provided value */
128  smd = *psm;
129  }
130 
131  if (p == NULL)
132  return NULL;
133 
134  while (1) {
135  if (smd->type == DETECT_THRESHOLD ||
137  {
138  tsh = (DetectThresholdData *)smd->ctx;
139 
140  if (smd->is_last) {
141  *psm = NULL;
142  } else {
143  *psm = smd + 1;
144  }
145  return tsh;
146  }
147 
148  if (smd->is_last) {
149  break;
150  }
151  smd++;
152  }
153  *psm = NULL;
154  return NULL;
155 }
156 
157 /**
158  * \brief Remove timeout threshold hash elements
159  *
160  * \param head Current head element of storage
161  * \param tv Current time
162  *
163  * \retval DetectThresholdEntry Return new head element or NULL if all expired
164  *
165  */
166 
167 static DetectThresholdEntry* ThresholdTimeoutCheck(DetectThresholdEntry *head, struct timeval *tv)
168 {
169  DetectThresholdEntry *tmp = head;
170  DetectThresholdEntry *prev = NULL;
171  DetectThresholdEntry *new_head = head;
172 
173  while (tmp != NULL) {
174  /* check if the 'check' timestamp is not before the creation ts.
175  * This can happen due to the async nature of the host timeout
176  * code that also calls this code from a management thread. */
177  if (TIMEVAL_EARLIER(*tv, tmp->tv1) || TIMEVAL_DIFF_SEC(*tv, tmp->tv1) <= tmp->seconds) {
178  prev = tmp;
179  tmp = tmp->next;
180  continue;
181  }
182 
183  /* timed out */
184 
185  DetectThresholdEntry *tde = tmp;
186  if (prev != NULL) {
187  prev->next = tmp->next;
188  }
189  else {
190  new_head = tmp->next;
191  }
192  tmp = tde->next;
193  SCFree(tde);
194  }
195 
196  return new_head;
197 }
198 
199 int ThresholdHostTimeoutCheck(Host *host, struct timeval *tv)
200 {
201  DetectThresholdEntry* head = HostGetStorageById(host, host_threshold_id);
202  DetectThresholdEntry* new_head = ThresholdTimeoutCheck(head, tv);
203  if (new_head != head) {
204  HostSetStorageById(host, host_threshold_id, new_head);
205  }
206  return new_head == NULL;
207 }
208 
209 
210 int ThresholdIPPairTimeoutCheck(IPPair *pair, struct timeval *tv)
211 {
212  DetectThresholdEntry* head = IPPairGetStorageById(pair, ippair_threshold_id);
213  DetectThresholdEntry* new_head = ThresholdTimeoutCheck(head, tv);
214  if (new_head != head) {
215  IPPairSetStorageById(pair, ippair_threshold_id, new_head);
216  }
217  return new_head == NULL;
218 }
219 
220 static DetectThresholdEntry *
221 DetectThresholdEntryAlloc(const DetectThresholdData *td, Packet *p,
222  uint32_t sid, uint32_t gid)
223 {
224  SCEnter();
225 
227  if (unlikely(ste == NULL)) {
228  SCReturnPtr(NULL, "DetectThresholdEntry");
229  }
230 
231  ste->sid = sid;
232  ste->gid = gid;
233  ste->track = td->track;
234  ste->seconds = td->seconds;
235 
236  SCReturnPtr(ste, "DetectThresholdEntry");
237 }
238 
239 static DetectThresholdEntry *ThresholdHostLookupEntry(Host *h,
240  uint32_t sid, uint32_t gid)
241 {
243 
244  for (e = HostGetStorageById(h, host_threshold_id); e != NULL; e = e->next) {
245  if (e->sid == sid && e->gid == gid)
246  break;
247  }
248 
249  return e;
250 }
251 
252 static DetectThresholdEntry *ThresholdIPPairLookupEntry(IPPair *pair,
253  uint32_t sid, uint32_t gid)
254 {
256 
257  for (e = IPPairGetStorageById(pair, ippair_threshold_id); e != NULL; e = e->next) {
258  if (e->sid == sid && e->gid == gid)
259  break;
260  }
261 
262  return e;
263 }
264 
265 static int ThresholdHandlePacketSuppress(Packet *p,
266  const DetectThresholdData *td, uint32_t sid, uint32_t gid)
267 {
268  int ret = 0;
269  DetectAddress *m = NULL;
270  switch (td->track) {
271  case TRACK_DST:
272  m = DetectAddressLookupInHead(&td->addrs, &p->dst);
273  SCLogDebug("TRACK_DST");
274  break;
275  case TRACK_SRC:
276  m = DetectAddressLookupInHead(&td->addrs, &p->src);
277  SCLogDebug("TRACK_SRC");
278  break;
279  /* suppress if either src or dst is a match on the suppress
280  * address list */
281  case TRACK_EITHER:
282  m = DetectAddressLookupInHead(&td->addrs, &p->src);
283  if (m == NULL) {
284  m = DetectAddressLookupInHead(&td->addrs, &p->dst);
285  }
286  break;
287  case TRACK_RULE:
288  default:
290  "track mode %d is not supported", td->track);
291  break;
292  }
293  if (m == NULL)
294  ret = 1;
295  else
296  ret = 2; /* suppressed but still need actions */
297 
298  return ret;
299 }
300 
301 static inline void RateFilterSetAction(Packet *p, PacketAlert *pa, uint8_t new_action)
302 {
303  switch (new_action) {
304  case TH_ACTION_ALERT:
305  PACKET_ALERT(p);
307  break;
308  case TH_ACTION_DROP:
309  PACKET_DROP(p);
311  break;
312  case TH_ACTION_REJECT:
313  PACKET_REJECT(p);
315  break;
316  case TH_ACTION_PASS:
317  PACKET_PASS(p);
319  break;
320  default:
321  /* Weird, leave the default action */
322  break;
323  }
324 }
325 
326 /**
327 * \brief Check if the entry reached threshold count limit
328 *
329 * \param lookup_tsh Current threshold entry
330 * \param td Threshold settings
331 * \param packet_time used to compare against previous detection and to set timeouts
332 *
333 * \retval int 1 if threshold reached for this entry
334 *
335 */
336 static int IsThresholdReached(DetectThresholdEntry* lookup_tsh, const DetectThresholdData *td, struct timeval packet_time)
337 {
338  int ret = 0;
339 
340  /* Check if we have a timeout enabled, if so,
341  * we still matching (and enabling the new_action) */
342  if (lookup_tsh->tv_timeout != 0) {
343  if ((packet_time.tv_sec - lookup_tsh->tv_timeout) > td->timeout) {
344  /* Ok, we are done, timeout reached */
345  lookup_tsh->tv_timeout = 0;
346  }
347  else {
348  /* Already matching */
349  ret = 1;
350  } /* else - if ((packet_time - lookup_tsh->tv_timeout) > td->timeout) */
351 
352  }
353  else {
354  /* Update the matching state with the timeout interval */
355  if (TIMEVAL_DIFF_SEC(packet_time, lookup_tsh->tv1) < td->seconds) {
356  lookup_tsh->current_count++;
357  if (lookup_tsh->current_count > td->count) {
358  /* Then we must enable the new action by setting a
359  * timeout */
360  lookup_tsh->tv_timeout = packet_time.tv_sec;
361  ret = 1;
362  }
363  }
364  else {
365  lookup_tsh->tv1 = packet_time;
366  lookup_tsh->current_count = 1;
367  }
368  } /* else - if (lookup_tsh->tv_timeout != 0) */
369 
370  return ret;
371 }
372 
373 static void AddEntryToHostStorage(Host *h, DetectThresholdEntry *e, struct timeval packet_time)
374 {
375  if (h && e) {
376  e->current_count = 1;
377  e->tv1 = packet_time;
378  e->tv_timeout = 0;
379  e->next = HostGetStorageById(h, host_threshold_id);
380  HostSetStorageById(h, host_threshold_id, e);
381  }
382 }
383 
384 static void AddEntryToIPPairStorage(IPPair *pair, DetectThresholdEntry *e, struct timeval packet_time)
385 {
386  if (pair && e) {
387  e->current_count = 1;
388  e->tv1 = packet_time;
389  e->tv_timeout = 0;
390  e->next = IPPairGetStorageById(pair, ippair_threshold_id);
391  IPPairSetStorageById(pair, ippair_threshold_id, e);
392  }
393 }
394 
395 /**
396  * \retval 2 silent match (no alert but apply actions)
397  * \retval 1 normal match
398  * \retval 0 no match
399  *
400  * If a new DetectThresholdEntry is generated to track the threshold
401  * for this rule, then it will be returned in new_tsh.
402  */
403 static int ThresholdHandlePacket(Packet *p, DetectThresholdEntry *lookup_tsh,
404  DetectThresholdEntry **new_tsh, const DetectThresholdData *td,
405  uint32_t sid, uint32_t gid, PacketAlert *pa)
406 {
407  int ret = 0;
408 
409  switch(td->type) {
410  case TYPE_LIMIT:
411  {
412  SCLogDebug("limit");
413 
414  if (lookup_tsh != NULL) {
415  if (TIMEVAL_DIFF_SEC(p->ts, lookup_tsh->tv1) < td->seconds) {
416  lookup_tsh->current_count++;
417 
418  if (lookup_tsh->current_count <= td->count) {
419  ret = 1;
420  } else {
421  ret = 2;
422  }
423  } else {
424  lookup_tsh->tv1 = p->ts;
425  lookup_tsh->current_count = 1;
426 
427  ret = 1;
428  }
429  } else {
430  *new_tsh = DetectThresholdEntryAlloc(td, p, sid, gid);
431 
432  ret = 1;
433  }
434  break;
435  }
436  case TYPE_THRESHOLD:
437  {
438  SCLogDebug("threshold");
439 
440  if (lookup_tsh != NULL) {
441  if (TIMEVAL_DIFF_SEC(p->ts, lookup_tsh->tv1) < td->seconds) {
442  lookup_tsh->current_count++;
443 
444  if (lookup_tsh->current_count >= td->count) {
445  ret = 1;
446  lookup_tsh->current_count = 0;
447  }
448  } else {
449  lookup_tsh->tv1 = p->ts;
450  lookup_tsh->current_count = 1;
451  }
452  } else {
453  if (td->count == 1) {
454  ret = 1;
455  } else {
456  *new_tsh = DetectThresholdEntryAlloc(td, p, sid, gid);
457  }
458  }
459  break;
460  }
461  case TYPE_BOTH:
462  {
463  SCLogDebug("both");
464 
465  if (lookup_tsh != NULL) {
466  if (TIMEVAL_DIFF_SEC(p->ts, lookup_tsh->tv1) < td->seconds) {
467  /* within time limit */
468 
469  lookup_tsh->current_count++;
470  if (lookup_tsh->current_count == td->count) {
471  ret = 1;
472  } else if (lookup_tsh->current_count > td->count) {
473  /* silent match */
474  ret = 2;
475  }
476  } else {
477  /* expired, so reset */
478  lookup_tsh->tv1 = p->ts;
479  lookup_tsh->current_count = 1;
480 
481  /* if we have a limit of 1, this is a match */
482  if (lookup_tsh->current_count == td->count) {
483  ret = 1;
484  }
485  }
486  } else {
487  *new_tsh = DetectThresholdEntryAlloc(td, p, sid, gid);
488 
489  /* for the first match we return 1 to
490  * indicate we should alert */
491  if (td->count == 1) {
492  ret = 1;
493  }
494  }
495  break;
496  }
497  /* detection_filter */
498  case TYPE_DETECTION:
499  {
500  SCLogDebug("detection_filter");
501 
502  if (lookup_tsh != NULL) {
503  if (TIMEVAL_DIFF_SEC(p->ts, lookup_tsh->tv1) < td->seconds) {
504  /* within timeout */
505  lookup_tsh->current_count++;
506  if (lookup_tsh->current_count > td->count) {
507  ret = 1;
508  }
509  } else {
510  /* expired, reset */
511  lookup_tsh->tv1 = p->ts;
512  lookup_tsh->current_count = 1;
513  }
514  } else {
515  *new_tsh = DetectThresholdEntryAlloc(td, p, sid, gid);
516  }
517  break;
518  }
519  /* rate_filter */
520  case TYPE_RATE:
521  {
522  SCLogDebug("rate_filter");
523  ret = 1;
524  if (lookup_tsh && IsThresholdReached(lookup_tsh, td, p->ts)) {
525  RateFilterSetAction(p, pa, td->new_action);
526  } else if (!lookup_tsh) {
527  *new_tsh = DetectThresholdEntryAlloc(td, p, sid, gid);
528  }
529  break;
530  }
531  /* case TYPE_SUPPRESS: is not handled here */
532  default:
533  SCLogError(SC_ERR_INVALID_VALUE, "type %d is not supported", td->type);
534  }
535  return ret;
536 }
537 
538 static int ThresholdHandlePacketIPPair(IPPair *pair, Packet *p, const DetectThresholdData *td,
539  uint32_t sid, uint32_t gid, PacketAlert *pa)
540 {
541  int ret = 0;
542 
543  DetectThresholdEntry *lookup_tsh = ThresholdIPPairLookupEntry(pair, sid, gid);
544  SCLogDebug("ippair lookup_tsh %p sid %u gid %u", lookup_tsh, sid, gid);
545 
546  DetectThresholdEntry *new_tsh = NULL;
547  ret = ThresholdHandlePacket(p, lookup_tsh, &new_tsh, td, sid, gid, pa);
548  if (new_tsh != NULL) {
549  AddEntryToIPPairStorage(pair, new_tsh, p->ts);
550  }
551 
552  return ret;
553 }
554 
555 /**
556  * \retval 2 silent match (no alert but apply actions)
557  * \retval 1 normal match
558  * \retval 0 no match
559  */
560 static int ThresholdHandlePacketHost(Host *h, Packet *p, const DetectThresholdData *td,
561  uint32_t sid, uint32_t gid, PacketAlert *pa)
562 {
563  int ret = 0;
564  DetectThresholdEntry *lookup_tsh = ThresholdHostLookupEntry(h, sid, gid);
565  SCLogDebug("lookup_tsh %p sid %u gid %u", lookup_tsh, sid, gid);
566 
567  DetectThresholdEntry *new_tsh = NULL;
568  ret = ThresholdHandlePacket(p, lookup_tsh, &new_tsh, td, sid, gid, pa);
569  if (new_tsh != NULL) {
570  AddEntryToHostStorage(h, new_tsh, p->ts);
571  }
572  return ret;
573 }
574 
575 static int ThresholdHandlePacketRule(DetectEngineCtx *de_ctx, Packet *p,
576  const DetectThresholdData *td, const Signature *s, PacketAlert *pa)
577 {
578  int ret = 0;
579 
581  SCLogDebug("by_rule lookup_tsh %p num %u", lookup_tsh, s->num);
582 
583  DetectThresholdEntry *new_tsh = NULL;
584  ret = ThresholdHandlePacket(p, lookup_tsh, &new_tsh, td, s->id, s->gid, pa);
585  if (new_tsh != NULL) {
586  new_tsh->tv1 = p->ts;
587  new_tsh->current_count = 1;
588  new_tsh->tv_timeout = 0;
589  de_ctx->ths_ctx.th_entry[s->num] = new_tsh;
590  }
591 
592  return ret;
593 }
594 
595 /**
596  * \brief Make the threshold logic for signatures
597  *
598  * \param de_ctx Dectection Context
599  * \param tsh_ptr Threshold element
600  * \param p Packet structure
601  * \param s Signature structure
602  *
603  * \retval 2 silent match (no alert but apply actions)
604  * \retval 1 alert on this event
605  * \retval 0 do not alert on this event
606  */
608  const DetectThresholdData *td, Packet *p, const Signature *s, PacketAlert *pa)
609 {
610  SCEnter();
611 
612  int ret = 0;
613  if (td == NULL) {
614  SCReturnInt(0);
615  }
616 
617  if (td->type == TYPE_SUPPRESS) {
618  ret = ThresholdHandlePacketSuppress(p,td,s->id,s->gid);
619  } else if (td->track == TRACK_SRC) {
621  if (src) {
622  ret = ThresholdHandlePacketHost(src,p,td,s->id,s->gid,pa);
623  HostRelease(src);
624  }
625  } else if (td->track == TRACK_DST) {
627  if (dst) {
628  ret = ThresholdHandlePacketHost(dst,p,td,s->id,s->gid,pa);
629  HostRelease(dst);
630  }
631  } else if (td->track == TRACK_BOTH) {
632  IPPair *pair = IPPairGetIPPairFromHash(&p->src, &p->dst);
633  if (pair) {
634  ret = ThresholdHandlePacketIPPair(pair, p, td, s->id, s->gid, pa);
635  IPPairRelease(pair);
636  }
637  } else if (td->track == TRACK_RULE) {
639  ret = ThresholdHandlePacketRule(de_ctx,p,td,s,pa);
641  }
642 
643  SCReturnInt(ret);
644 }
645 
646 /**
647  * \brief Init threshold context hash tables
648  *
649  * \param de_ctx Dectection Context
650  *
651  */
653 {
654  if (SCMutexInit(&de_ctx->ths_ctx.threshold_table_lock, NULL) != 0) {
656  "Threshold: Failed to initialize hash table mutex.");
657  }
658 }
659 
660 /**
661  * \brief Realloc threshold context hash tables
662  *
663  * \param de_ctx Detection Context
664  */
666 {
667  /* Return if we are already big enough */
668  uint32_t num = de_ctx->signum + 1;
669  if (num <= de_ctx->ths_ctx.th_size)
670  return;
671 
672  void *ptmp = SCRealloc(de_ctx->ths_ctx.th_entry, num * sizeof(DetectThresholdEntry *));
673  if (ptmp == NULL) {
674  SCLogWarning(SC_ERR_MEM_ALLOC, "Error allocating memory for rule thresholds"
675  " (tried to allocate %"PRIu32" th_entrys for rule tracking)", num);
676  } else {
677  de_ctx->ths_ctx.th_entry = ptmp;
678  for (uint32_t i = de_ctx->ths_ctx.th_size; i < num; ++i) {
679  de_ctx->ths_ctx.th_entry[i] = NULL;
680  }
681  de_ctx->ths_ctx.th_size = num;
682  }
683 }
684 
685 /**
686  * \brief Destroy threshold context hash tables
687  *
688  * \param de_ctx Dectection Context
689  *
690  */
692 {
693  if (de_ctx->ths_ctx.th_entry != NULL)
696 }
697 
698 /**
699  * \brief this function will free all the entries of a list
700  * DetectTagDataEntry
701  *
702  * \param td pointer to DetectTagDataEntryList
703  */
704 void ThresholdListFree(void *ptr)
705 {
706  if (ptr != NULL) {
707  DetectThresholdEntry *entry = ptr;
708 
709  while (entry != NULL) {
710  DetectThresholdEntry *next_entry = entry->next;
711  SCFree(entry);
712  entry = next_entry;
713  }
714  }
715 }
716 
717 /**
718  * @}
719  */
TRACK_BOTH
#define TRACK_BOTH
Definition: detect-threshold.h:42
DetectThresholdData_::timeout
uint32_t timeout
Definition: detect-threshold.h:63
ThresholdIPPairTimeoutCheck
int ThresholdIPPairTimeoutCheck(IPPair *pair, struct timeval *tv)
Definition: detect-engine-threshold.c:210
host.h
tm-threads.h
detect-content.h
ippair.h
detect-engine.h
host-storage.h
SC_ERR_INVALID_VALUE
@ SC_ERR_INVALID_VALUE
Definition: util-error.h:160
detect-engine-siggroup.h
IPPairRelease
void IPPairRelease(IPPair *h)
Definition: ippair.c:518
Signature_::num
SigIntId num
Definition: detect.h:538
ThresholdCtx_::threshold_table_lock
SCMutex threshold_table_lock
Definition: detect.h:713
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
DetectAddress_
address structure for use in the detection engine.
Definition: detect.h:139
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
ThresholdHostStorageId
int ThresholdHostStorageId(void)
Definition: detect-engine-threshold.c:75
PACKET_REJECT
#define PACKET_REJECT(p)
Definition: decode.h:862
HostSetStorageById
int HostSetStorageById(Host *h, int id, void *ptr)
Store a pointer in a given Host storage.
Definition: host-storage.c:71
DetectThresholdData_::count
uint32_t count
Definition: detect-threshold.h:58
SigMatchData_::ctx
SigMatchCtx * ctx
Definition: detect.h:332
TIMEVAL_DIFF_SEC
#define TIMEVAL_DIFF_SEC(tv_new, tv_old)
compare two 'struct timeval' and return the difference in seconds
Definition: util-time.h:37
HostRelease
void HostRelease(Host *h)
Definition: host.c:474
util-hash.h
DetectThresholdEntry_::tv1
struct timeval tv1
Definition: detect-threshold.h:78
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:767
HostGetHostFromHash
Host * HostGetHostFromHash(Address *a)
Definition: host.c:499
TYPE_LIMIT
#define TYPE_LIMIT
Definition: detect-threshold.h:31
ThresholdCtx_::th_size
uint32_t th_size
Definition: detect.h:717
TIMEVAL_EARLIER
#define TIMEVAL_EARLIER(tv_first, tv_second)
compare two 'struct timeval' and return if the first is earlier than the second
Definition: util-time.h:43
TRACK_DST
#define TRACK_DST
Definition: detect-detection-filter.c:43
SCMutexLock
#define SCMutexLock(mut)
Definition: threads-debug.h:117
util-var-name.h
DetectThresholdData_::new_action
uint8_t new_action
Definition: detect-threshold.h:62
DetectThresholdEntry_
Definition: detect-threshold.h:68
TH_ACTION_ALERT
#define TH_ACTION_ALERT
Definition: detect-threshold.h:45
Signature_::sm_arrays
SigMatchData * sm_arrays[DETECT_SM_LIST_MAX]
Definition: detect.h:581
m
SCMutex m
Definition: flow-hash.h:6
DetectThresholdEntry_::sid
uint32_t sid
Definition: detect-threshold.h:69
SigMatchData_
Data needed for Match()
Definition: detect.h:329
ThresholdHostHasThreshold
int ThresholdHostHasThreshold(Host *host)
Definition: detect-engine-threshold.c:94
ThresholdHashInit
void ThresholdHashInit(DetectEngineCtx *de_ctx)
Init threshold context hash tables.
Definition: detect-engine-threshold.c:652
DetectAddressLookupInHead
DetectAddress * DetectAddressLookupInHead(const DetectAddressHead *gh, Address *a)
Find the group matching address in a group head.
Definition: detect-engine-address.c:1814
DetectThresholdEntry_::seconds
uint32_t seconds
Definition: detect-threshold.h:74
DetectThresholdData_::type
uint8_t type
Definition: detect-threshold.h:60
Signature_::gid
uint32_t gid
Definition: detect.h:562
HostGetStorageById
void * HostGetStorageById(Host *h, int id)
Get a value from a given Host storage.
Definition: host-storage.c:84
DetectThresholdEntry_::track
int track
Definition: detect-threshold.h:76
DetectThresholdEntry_::tv_timeout
uint32_t tv_timeout
Definition: detect-threshold.h:72
ThresholdIPPairHasThreshold
int ThresholdIPPairHasThreshold(IPPair *pair)
Definition: detect-engine-threshold.c:99
TRACK_RULE
#define TRACK_RULE
Definition: detect-threshold.h:40
util-debug.h
util-error.h
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
TYPE_RATE
#define TYPE_RATE
Definition: detect-threshold.h:35
DetectEngineThreadCtx_
Definition: detect.h:1010
SigGetThresholdTypeIter
const DetectThresholdData * SigGetThresholdTypeIter(const Signature *sig, Packet *p, const SigMatchData **psm, int list)
Return next DetectThresholdData for signature.
Definition: detect-engine-threshold.c:115
DETECT_THRESHOLD
@ DETECT_THRESHOLD
Definition: detect-engine-register.h:54
PACKET_PASS
#define PACKET_PASS(p)
Definition: decode.h:868
SCMutexUnlock
#define SCMutexUnlock(mut)
Definition: threads-debug.h:119
TH_ACTION_PASS
#define TH_ACTION_PASS
Definition: detect-threshold.h:47
SCEnter
#define SCEnter(...)
Definition: util-debug.h:300
detect-engine-mpm.h
detect.h
PACKET_ALERT
#define PACKET_ALERT(p)
Definition: decode.h:856
SigMatchData_::type
uint8_t type
Definition: detect.h:330
detect-engine-port.h
util-time.h
IPPairGetIPPairFromHash
IPPair * IPPairGetIPPairFromHash(Address *a, Address *b)
Definition: ippair.c:542
DetectEngineCtx_::ths_ctx
ThresholdCtx ths_ctx
Definition: detect.h:814
TYPE_BOTH
#define TYPE_BOTH
Definition: detect-threshold.h:32
ThresholdCtx_::th_entry
DetectThresholdEntry ** th_entry
Definition: detect.h:716
Packet_
Definition: decode.h:414
TRACK_EITHER
#define TRACK_EITHER
Definition: detect-threshold.h:41
SCReturnPtr
#define SCReturnPtr(x, type)
Definition: util-debug.h:316
ThresholdHostTimeoutCheck
int ThresholdHostTimeoutCheck(Host *host, struct timeval *tv)
Definition: detect-engine-threshold.c:199
ThresholdListFree
void ThresholdListFree(void *ptr)
this function will free all the entries of a list DetectTagDataEntry
Definition: detect-engine-threshold.c:704
PacketAlertThreshold
int PacketAlertThreshold(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectThresholdData *td, Packet *p, const Signature *s, PacketAlert *pa)
Make the threshold logic for signatures.
Definition: detect-engine-threshold.c:607
IPPairStorageRegister
int IPPairStorageRegister(const char *name, const unsigned int size, void *(*Alloc)(unsigned int), void(*Free)(void *))
Definition: ippair-storage.c:61
SCMutexInit
#define SCMutexInit(mut, mutattrs)
Definition: threads-debug.h:116
HostStorageRegister
int HostStorageRegister(const char *name, const unsigned int size, void *(*Alloc)(unsigned int), void(*Free)(void *))
Register a Host storage.
Definition: host-storage.c:59
DetectThresholdData_::track
uint8_t track
Definition: detect-threshold.h:61
SCRealloc
#define SCRealloc(ptr, sz)
Definition: util-mem.h:50
PacketAlert_::flags
uint8_t flags
Definition: decode.h:278
IPPairGetStorageById
void * IPPairGetStorageById(IPPair *h, int id)
Definition: ippair-storage.c:35
DetectThresholdEntry_::current_count
uint32_t current_count
Definition: detect-threshold.h:75
PACKET_ALERT_RATE_FILTER_MODIFIED
#define PACKET_ALERT_RATE_FILTER_MODIFIED
Definition: decode.h:294
TH_ACTION_REJECT
#define TH_ACTION_REJECT
Definition: detect-threshold.h:50
SigMatchData_::is_last
uint8_t is_last
Definition: detect.h:331
Packet_::ts
struct timeval ts
Definition: decode.h:457
suricata-common.h
DetectThresholdData_
Definition: detect-threshold.h:57
IPPair_
Definition: ippair.h:58
TYPE_SUPPRESS
#define TYPE_SUPPRESS
Definition: detect-threshold.h:36
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:257
TH_ACTION_DROP
#define TH_ACTION_DROP
Definition: detect-threshold.h:46
FatalError
#define FatalError(x,...)
Definition: util-debug.h:532
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:29
DetectThresholdEntry_::next
struct DetectThresholdEntry_ * next
Definition: detect-threshold.h:79
detect-engine-sigorder.h
TYPE_THRESHOLD
#define TYPE_THRESHOLD
Definition: detect-threshold.h:33
DetectThresholdEntry_::gid
uint32_t gid
Definition: detect-threshold.h:70
DETECT_DETECTION_FILTER
@ DETECT_DETECTION_FILTER
Definition: detect-engine-register.h:97
head
Flow * head
Definition: flow-hash.h:1
SCLogWarning
#define SCLogWarning(err_code,...)
Macro used to log WARNING messages.
Definition: util-debug.h:244
SCFree
#define SCFree(p)
Definition: util-mem.h:61
PACKET_DROP
#define PACKET_DROP(p)
Definition: decode.h:860
SC_ERR_FATAL
@ SC_ERR_FATAL
Definition: util-error.h:203
Signature_::id
uint32_t id
Definition: detect.h:561
detect-engine-iponly.h
detect-parse.h
src
uint16_t src
Definition: app-layer-dnp3.h:5
Signature_
Signature container.
Definition: detect.h:528
SC_ERR_MEM_ALLOC
@ SC_ERR_MEM_ALLOC
Definition: util-error.h:31
Packet_::dst
Address dst
Definition: decode.h:419
TRACK_SRC
#define TRACK_SRC
Definition: detect-detection-filter.c:44
PacketAlert_
Definition: decode.h:275
ThresholdHashRealloc
void ThresholdHashRealloc(DetectEngineCtx *de_ctx)
Realloc threshold context hash tables.
Definition: detect-engine-threshold.c:665
detect-uricontent.h
DetectThresholdData_::seconds
uint32_t seconds
Definition: detect-threshold.h:59
dst
uint16_t dst
Definition: app-layer-dnp3.h:4
IPPairSetStorageById
int IPPairSetStorageById(IPPair *h, int id, void *ptr)
Definition: ippair-storage.c:40
flow.h
ThresholdContextDestroy
void ThresholdContextDestroy(DetectEngineCtx *de_ctx)
Destroy threshold context hash tables.
Definition: detect-engine-threshold.c:691
ippair-storage.h
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
Host_
Definition: host.h:58
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:304
SCMutexDestroy
#define SCMutexDestroy
Definition: threads-debug.h:120
DetectEngineCtx_::signum
uint32_t signum
Definition: detect.h:786
ThresholdInit
void ThresholdInit(void)
Definition: detect-engine-threshold.c:80
detect-engine-address.h
Packet_::src
Address src
Definition: decode.h:418
debug.h
detect-engine-threshold.h
TYPE_DETECTION
#define TYPE_DETECTION
Definition: detect-threshold.h:34
DetectThresholdData_::addrs
DetectAddressHead addrs
Definition: detect-threshold.h:65