suricata
detect-engine-threshold.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2021 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \defgroup threshold Thresholding
20  *
21  * This feature is used to reduce the number of logged alerts for noisy rules.
22  * This can be tuned to significantly reduce false alarms, and it can also be
23  * used to write a newer breed of rules. Thresholding commands limit the number
24  * of times a particular event is logged during a specified time interval.
25  *
26  * @{
27  */
28 
29 /**
30  * \file
31  *
32  * \author Breno Silva <breno.silva@gmail.com>
33  * \author Victor Julien <victor@inliniac.net>
34  *
35  * Threshold part of the detection engine.
36  */
37 
38 #include "suricata-common.h"
39 #include "detect.h"
40 #include "flow.h"
41 
42 #include "host.h"
43 #include "host-storage.h"
44 
45 #include "ippair.h"
46 #include "ippair-storage.h"
47 
48 #include "detect-parse.h"
49 #include "detect-engine-sigorder.h"
50 
51 #include "detect-engine-siggroup.h"
52 #include "detect-engine-address.h"
53 #include "detect-engine-port.h"
54 #include "detect-engine-mpm.h"
55 #include "detect-engine-iponly.h"
56 
57 #include "detect-engine.h"
59 
60 #include "detect-content.h"
61 #include "detect-uricontent.h"
62 
63 #include "util-hash.h"
64 #include "util-time.h"
65 #include "util-error.h"
66 #include "util-debug.h"
67 
68 #include "util-var-name.h"
69 #include "tm-threads.h"
70 
71 static HostStorageId host_threshold_id = { .id = -1 }; /**< host storage id for thresholds */
72 static IPPairStorageId ippair_threshold_id = { .id = -1 }; /**< ip pair storage id for thresholds */
73 
75 {
76  return host_threshold_id;
77 }
78 
79 void ThresholdInit(void)
80 {
81  host_threshold_id = HostStorageRegister("threshold", sizeof(void *), NULL, ThresholdListFree);
82  if (host_threshold_id.id == -1) {
84  "Can't initiate host storage for thresholding");
85  }
86  ippair_threshold_id = IPPairStorageRegister("threshold", sizeof(void *), NULL, ThresholdListFree);
87  if (ippair_threshold_id.id == -1) {
89  "Can't initiate IP pair storage for thresholding");
90  }
91 }
92 
94 {
95  return HostGetStorageById(host, host_threshold_id) ? 1 : 0;
96 }
97 
99 {
100  return IPPairGetStorageById(pair, ippair_threshold_id) ? 1 : 0;
101 }
102 
103 /**
104  * \brief Return next DetectThresholdData for signature
105  *
106  * \param sig Signature pointer
107  * \param psm Pointer to a Signature Match pointer
108  * \param list List to return data from
109  *
110  * \retval tsh Return the threshold data from signature or NULL if not found
111  */
113  const Signature *sig, const SigMatchData **psm, int list)
114 {
115  const SigMatchData *smd = NULL;
116  const DetectThresholdData *tsh = NULL;
117 
118  if (sig == NULL)
119  return NULL;
120 
121  if (*psm == NULL) {
122  smd = sig->sm_arrays[list];
123  } else {
124  /* Iteration in progress, using provided value */
125  smd = *psm;
126  }
127 
128  while (1) {
129  if (smd->type == DETECT_THRESHOLD || smd->type == DETECT_DETECTION_FILTER) {
130  tsh = (DetectThresholdData *)smd->ctx;
131 
132  if (smd->is_last) {
133  *psm = NULL;
134  } else {
135  *psm = smd + 1;
136  }
137  return tsh;
138  }
139 
140  if (smd->is_last) {
141  break;
142  }
143  smd++;
144  }
145  *psm = NULL;
146  return NULL;
147 }
148 
149 /**
150  * \brief Remove timeout threshold hash elements
151  *
152  * \param head Current head element of storage
153  * \param tv Current time
154  *
155  * \retval DetectThresholdEntry Return new head element or NULL if all expired
156  *
157  */
158 
159 static DetectThresholdEntry* ThresholdTimeoutCheck(DetectThresholdEntry *head, struct timeval *tv)
160 {
161  DetectThresholdEntry *tmp = head;
162  DetectThresholdEntry *prev = NULL;
163  DetectThresholdEntry *new_head = head;
164 
165  while (tmp != NULL) {
166  /* check if the 'check' timestamp is not before the creation ts.
167  * This can happen due to the async nature of the host timeout
168  * code that also calls this code from a management thread. */
169  struct timeval entry = TimevalWithSeconds(&tmp->tv1, (time_t)tmp->seconds);
170  if (TimevalEarlier(tv, &entry)) {
171  prev = tmp;
172  tmp = tmp->next;
173  continue;
174  }
175 
176  /* timed out */
177 
178  DetectThresholdEntry *tde = tmp;
179  if (prev != NULL) {
180  prev->next = tmp->next;
181  }
182  else {
183  new_head = tmp->next;
184  }
185  tmp = tde->next;
186  SCFree(tde);
187  }
188 
189  return new_head;
190 }
191 
192 int ThresholdHostTimeoutCheck(Host *host, struct timeval *tv)
193 {
194  DetectThresholdEntry* head = HostGetStorageById(host, host_threshold_id);
195  DetectThresholdEntry* new_head = ThresholdTimeoutCheck(head, tv);
196  if (new_head != head) {
197  HostSetStorageById(host, host_threshold_id, new_head);
198  }
199  return new_head == NULL;
200 }
201 
202 
203 int ThresholdIPPairTimeoutCheck(IPPair *pair, struct timeval *tv)
204 {
205  DetectThresholdEntry* head = IPPairGetStorageById(pair, ippair_threshold_id);
206  DetectThresholdEntry* new_head = ThresholdTimeoutCheck(head, tv);
207  if (new_head != head) {
208  IPPairSetStorageById(pair, ippair_threshold_id, new_head);
209  }
210  return new_head == NULL;
211 }
212 
213 static DetectThresholdEntry *
214 DetectThresholdEntryAlloc(const DetectThresholdData *td, Packet *p,
215  uint32_t sid, uint32_t gid)
216 {
217  SCEnter();
218 
220  if (unlikely(ste == NULL)) {
221  SCReturnPtr(NULL, "DetectThresholdEntry");
222  }
223 
224  ste->sid = sid;
225  ste->gid = gid;
226  ste->track = td->track;
227  ste->seconds = td->seconds;
228 
229  SCReturnPtr(ste, "DetectThresholdEntry");
230 }
231 
232 static DetectThresholdEntry *ThresholdHostLookupEntry(Host *h,
233  uint32_t sid, uint32_t gid)
234 {
236 
237  for (e = HostGetStorageById(h, host_threshold_id); e != NULL; e = e->next) {
238  if (e->sid == sid && e->gid == gid)
239  break;
240  }
241 
242  return e;
243 }
244 
245 static DetectThresholdEntry *ThresholdIPPairLookupEntry(IPPair *pair,
246  uint32_t sid, uint32_t gid)
247 {
249 
250  for (e = IPPairGetStorageById(pair, ippair_threshold_id); e != NULL; e = e->next) {
251  if (e->sid == sid && e->gid == gid)
252  break;
253  }
254 
255  return e;
256 }
257 
258 static int ThresholdHandlePacketSuppress(Packet *p,
259  const DetectThresholdData *td, uint32_t sid, uint32_t gid)
260 {
261  int ret = 0;
262  DetectAddress *m = NULL;
263  switch (td->track) {
264  case TRACK_DST:
265  m = DetectAddressLookupInHead(&td->addrs, &p->dst);
266  SCLogDebug("TRACK_DST");
267  break;
268  case TRACK_SRC:
269  m = DetectAddressLookupInHead(&td->addrs, &p->src);
270  SCLogDebug("TRACK_SRC");
271  break;
272  /* suppress if either src or dst is a match on the suppress
273  * address list */
274  case TRACK_EITHER:
275  m = DetectAddressLookupInHead(&td->addrs, &p->src);
276  if (m == NULL) {
277  m = DetectAddressLookupInHead(&td->addrs, &p->dst);
278  }
279  break;
280  case TRACK_RULE:
281  default:
283  "track mode %d is not supported", td->track);
284  break;
285  }
286  if (m == NULL)
287  ret = 1;
288  else
289  ret = 2; /* suppressed but still need actions */
290 
291  return ret;
292 }
293 
294 static inline void RateFilterSetAction(Packet *p, PacketAlert *pa, uint8_t new_action)
295 {
296  switch (new_action) {
297  case TH_ACTION_ALERT:
298  PACKET_ALERT(p);
300  break;
301  case TH_ACTION_DROP:
304  break;
305  case TH_ACTION_REJECT:
308  break;
309  case TH_ACTION_PASS:
310  PacketPass(p);
312  break;
313  default:
314  /* Weird, leave the default action */
315  break;
316  }
317 }
318 
319 /**
320 * \brief Check if the entry reached threshold count limit
321 *
322 * \param lookup_tsh Current threshold entry
323 * \param td Threshold settings
324 * \param packet_time used to compare against previous detection and to set timeouts
325 *
326 * \retval int 1 if threshold reached for this entry
327 *
328 */
329 static int IsThresholdReached(DetectThresholdEntry* lookup_tsh, const DetectThresholdData *td, struct timeval packet_time)
330 {
331  int ret = 0;
332 
333  /* Check if we have a timeout enabled, if so,
334  * we still matching (and enabling the new_action) */
335  if (lookup_tsh->tv_timeout != 0) {
336  if ((packet_time.tv_sec - lookup_tsh->tv_timeout) > td->timeout) {
337  /* Ok, we are done, timeout reached */
338  lookup_tsh->tv_timeout = 0;
339  }
340  else {
341  /* Already matching */
342  ret = 1;
343  } /* else - if ((packet_time - lookup_tsh->tv_timeout) > td->timeout) */
344 
345  }
346  else {
347  /* Update the matching state with the timeout interval */
348  struct timeval entry = TimevalWithSeconds(&lookup_tsh->tv1, (time_t)td->seconds);
349  if (TimevalEarlier(&packet_time, &entry)) {
350  lookup_tsh->current_count++;
351  if (lookup_tsh->current_count > td->count) {
352  /* Then we must enable the new action by setting a
353  * timeout */
354  lookup_tsh->tv_timeout = packet_time.tv_sec;
355  ret = 1;
356  }
357  } else {
358  lookup_tsh->tv1 = packet_time;
359  lookup_tsh->current_count = 1;
360  }
361  } /* else - if (lookup_tsh->tv_timeout != 0) */
362 
363  return ret;
364 }
365 
366 static void AddEntryToHostStorage(Host *h, DetectThresholdEntry *e, struct timeval packet_time)
367 {
368  if (h && e) {
369  e->current_count = 1;
370  e->tv1 = packet_time;
371  e->tv_timeout = 0;
372  e->next = HostGetStorageById(h, host_threshold_id);
373  HostSetStorageById(h, host_threshold_id, e);
374  }
375 }
376 
377 static void AddEntryToIPPairStorage(IPPair *pair, DetectThresholdEntry *e, struct timeval packet_time)
378 {
379  if (pair && e) {
380  e->current_count = 1;
381  e->tv1 = packet_time;
382  e->tv_timeout = 0;
383  e->next = IPPairGetStorageById(pair, ippair_threshold_id);
384  IPPairSetStorageById(pair, ippair_threshold_id, e);
385  }
386 }
387 
388 /**
389  * \retval 2 silent match (no alert but apply actions)
390  * \retval 1 normal match
391  * \retval 0 no match
392  *
393  * If a new DetectThresholdEntry is generated to track the threshold
394  * for this rule, then it will be returned in new_tsh.
395  */
396 static int ThresholdHandlePacket(Packet *p, DetectThresholdEntry *lookup_tsh,
397  DetectThresholdEntry **new_tsh, const DetectThresholdData *td,
398  uint32_t sid, uint32_t gid, PacketAlert *pa)
399 {
400  int ret = 0;
401 
402  switch(td->type) {
403  case TYPE_LIMIT:
404  {
405  SCLogDebug("limit");
406 
407  if (lookup_tsh != NULL) {
408  struct timeval entry = TimevalWithSeconds(&lookup_tsh->tv1, (time_t)td->seconds);
409  if (TimevalEarlier(&p->ts, &entry)) {
410  lookup_tsh->current_count++;
411 
412  if (lookup_tsh->current_count <= td->count) {
413  ret = 1;
414  } else {
415  ret = 2;
416  }
417  } else {
418  lookup_tsh->tv1 = p->ts;
419  lookup_tsh->current_count = 1;
420 
421  ret = 1;
422  }
423  } else {
424  *new_tsh = DetectThresholdEntryAlloc(td, p, sid, gid);
425 
426  ret = 1;
427  }
428  break;
429  }
430  case TYPE_THRESHOLD:
431  {
432  SCLogDebug("threshold");
433 
434  if (lookup_tsh != NULL) {
435  struct timeval entry = TimevalWithSeconds(&lookup_tsh->tv1, (time_t)td->seconds);
436  if (TimevalEarlier(&p->ts, &entry)) {
437  lookup_tsh->current_count++;
438 
439  if (lookup_tsh->current_count >= td->count) {
440  ret = 1;
441  lookup_tsh->current_count = 0;
442  }
443  } else {
444  lookup_tsh->tv1 = p->ts;
445  lookup_tsh->current_count = 1;
446  }
447  } else {
448  if (td->count == 1) {
449  ret = 1;
450  } else {
451  *new_tsh = DetectThresholdEntryAlloc(td, p, sid, gid);
452  }
453  }
454  break;
455  }
456  case TYPE_BOTH:
457  {
458  SCLogDebug("both");
459 
460  if (lookup_tsh != NULL) {
461  struct timeval entry = TimevalWithSeconds(&lookup_tsh->tv1, (time_t)td->seconds);
462  if (TimevalEarlier(&p->ts, &entry)) {
463  /* within time limit */
464 
465  lookup_tsh->current_count++;
466  if (lookup_tsh->current_count == td->count) {
467  ret = 1;
468  } else if (lookup_tsh->current_count > td->count) {
469  /* silent match */
470  ret = 2;
471  }
472  } else {
473  /* expired, so reset */
474  lookup_tsh->tv1 = p->ts;
475  lookup_tsh->current_count = 1;
476 
477  /* if we have a limit of 1, this is a match */
478  if (lookup_tsh->current_count == td->count) {
479  ret = 1;
480  }
481  }
482  } else {
483  *new_tsh = DetectThresholdEntryAlloc(td, p, sid, gid);
484 
485  /* for the first match we return 1 to
486  * indicate we should alert */
487  if (td->count == 1) {
488  ret = 1;
489  }
490  }
491  break;
492  }
493  /* detection_filter */
494  case TYPE_DETECTION:
495  {
496  SCLogDebug("detection_filter");
497 
498  if (lookup_tsh != NULL) {
499  struct timeval entry = TimevalWithSeconds(&lookup_tsh->tv1, (time_t)td->seconds);
500  if (TimevalEarlier(&p->ts, &entry)) {
501  /* within timeout */
502  lookup_tsh->current_count++;
503  if (lookup_tsh->current_count > td->count) {
504  ret = 1;
505  }
506  } else {
507  /* expired, reset */
508  lookup_tsh->tv1 = p->ts;
509  lookup_tsh->current_count = 1;
510  }
511  } else {
512  *new_tsh = DetectThresholdEntryAlloc(td, p, sid, gid);
513  }
514  break;
515  }
516  /* rate_filter */
517  case TYPE_RATE:
518  {
519  SCLogDebug("rate_filter");
520  ret = 1;
521  if (lookup_tsh && IsThresholdReached(lookup_tsh, td, p->ts)) {
522  RateFilterSetAction(p, pa, td->new_action);
523  } else if (!lookup_tsh) {
524  *new_tsh = DetectThresholdEntryAlloc(td, p, sid, gid);
525  }
526  break;
527  }
528  /* case TYPE_SUPPRESS: is not handled here */
529  default:
530  SCLogError(SC_ERR_INVALID_VALUE, "type %d is not supported", td->type);
531  }
532  return ret;
533 }
534 
535 static int ThresholdHandlePacketIPPair(IPPair *pair, Packet *p, const DetectThresholdData *td,
536  uint32_t sid, uint32_t gid, PacketAlert *pa)
537 {
538  int ret = 0;
539 
540  DetectThresholdEntry *lookup_tsh = ThresholdIPPairLookupEntry(pair, sid, gid);
541  SCLogDebug("ippair lookup_tsh %p sid %u gid %u", lookup_tsh, sid, gid);
542 
543  DetectThresholdEntry *new_tsh = NULL;
544  ret = ThresholdHandlePacket(p, lookup_tsh, &new_tsh, td, sid, gid, pa);
545  if (new_tsh != NULL) {
546  AddEntryToIPPairStorage(pair, new_tsh, p->ts);
547  }
548 
549  return ret;
550 }
551 
552 /**
553  * \retval 2 silent match (no alert but apply actions)
554  * \retval 1 normal match
555  * \retval 0 no match
556  */
557 static int ThresholdHandlePacketHost(Host *h, Packet *p, const DetectThresholdData *td,
558  uint32_t sid, uint32_t gid, PacketAlert *pa)
559 {
560  int ret = 0;
561  DetectThresholdEntry *lookup_tsh = ThresholdHostLookupEntry(h, sid, gid);
562  SCLogDebug("lookup_tsh %p sid %u gid %u", lookup_tsh, sid, gid);
563 
564  DetectThresholdEntry *new_tsh = NULL;
565  ret = ThresholdHandlePacket(p, lookup_tsh, &new_tsh, td, sid, gid, pa);
566  if (new_tsh != NULL) {
567  AddEntryToHostStorage(h, new_tsh, p->ts);
568  }
569  return ret;
570 }
571 
572 static int ThresholdHandlePacketRule(DetectEngineCtx *de_ctx, Packet *p,
573  const DetectThresholdData *td, const Signature *s, PacketAlert *pa)
574 {
575  int ret = 0;
576 
578  SCLogDebug("by_rule lookup_tsh %p num %u", lookup_tsh, s->num);
579 
580  DetectThresholdEntry *new_tsh = NULL;
581  ret = ThresholdHandlePacket(p, lookup_tsh, &new_tsh, td, s->id, s->gid, pa);
582  if (new_tsh != NULL) {
583  new_tsh->tv1 = p->ts;
584  new_tsh->current_count = 1;
585  new_tsh->tv_timeout = 0;
586  de_ctx->ths_ctx.th_entry[s->num] = new_tsh;
587  }
588 
589  return ret;
590 }
591 
592 /**
593  * \brief Make the threshold logic for signatures
594  *
595  * \param de_ctx Dectection Context
596  * \param tsh_ptr Threshold element
597  * \param p Packet structure
598  * \param s Signature structure
599  *
600  * \retval 2 silent match (no alert but apply actions)
601  * \retval 1 alert on this event
602  * \retval 0 do not alert on this event
603  */
605  const DetectThresholdData *td, Packet *p, const Signature *s, PacketAlert *pa)
606 {
607  SCEnter();
608 
609  int ret = 0;
610  if (td == NULL) {
611  SCReturnInt(0);
612  }
613 
614  if (td->type == TYPE_SUPPRESS) {
615  ret = ThresholdHandlePacketSuppress(p,td,s->id,s->gid);
616  } else if (td->track == TRACK_SRC) {
618  if (src) {
619  ret = ThresholdHandlePacketHost(src,p,td,s->id,s->gid,pa);
620  HostRelease(src);
621  }
622  } else if (td->track == TRACK_DST) {
624  if (dst) {
625  ret = ThresholdHandlePacketHost(dst,p,td,s->id,s->gid,pa);
626  HostRelease(dst);
627  }
628  } else if (td->track == TRACK_BOTH) {
629  IPPair *pair = IPPairGetIPPairFromHash(&p->src, &p->dst);
630  if (pair) {
631  ret = ThresholdHandlePacketIPPair(pair, p, td, s->id, s->gid, pa);
632  IPPairRelease(pair);
633  }
634  } else if (td->track == TRACK_RULE) {
636  ret = ThresholdHandlePacketRule(de_ctx,p,td,s,pa);
638  }
639 
640  SCReturnInt(ret);
641 }
642 
643 /**
644  * \brief Init threshold context hash tables
645  *
646  * \param de_ctx Dectection Context
647  *
648  */
650 {
651  if (SCMutexInit(&de_ctx->ths_ctx.threshold_table_lock, NULL) != 0) {
653  "Threshold: Failed to initialize hash table mutex.");
654  }
655 }
656 
657 /**
658  * \brief Allocate threshold context hash tables
659  *
660  * \param de_ctx Detection Context
661  */
663 {
664  Signature *s = de_ctx->sig_list;
665  bool has_by_rule_tracking = false;
666  const DetectThresholdData *td = NULL;
667  const SigMatchData *smd;
668 
669  /* Find the signature with the highest signature number that is using
670  thresholding with by_rule tracking. */
671  uint32_t highest_signum = 0;
672  while (s != NULL) {
673  if (s->sm_arrays[DETECT_SM_LIST_SUPPRESS] != NULL) {
674  smd = NULL;
675  do {
677  if (td == NULL) {
678  continue;
679  }
680  if (td->track != TRACK_RULE) {
681  continue;
682  }
683  if (s->num >= highest_signum) {
684  highest_signum = s->num;
685  has_by_rule_tracking = true;
686  }
687  } while (smd != NULL);
688  }
689 
690  if (s->sm_arrays[DETECT_SM_LIST_THRESHOLD] != NULL) {
691  smd = NULL;
692  do {
694  if (td == NULL) {
695  continue;
696  }
697  if (td->track != TRACK_RULE) {
698  continue;
699  }
700  if (s->num >= highest_signum) {
701  highest_signum = s->num;
702  has_by_rule_tracking = true;
703  }
704  } while (smd != NULL);
705  }
706 
707  s = s->next;
708  }
709 
710  /* Skip allocating if by_rule tracking is not used */
711  if (has_by_rule_tracking == false) {
712  return;
713  }
714 
715  de_ctx->ths_ctx.th_size = highest_signum + 1;
717  if (de_ctx->ths_ctx.th_entry == NULL) {
719  "Error allocating memory for rule "
720  "thresholds (tried to allocate %" PRIu32 " th_entrys for "
721  "rule tracking)",
723  }
724 }
725 
726 /**
727  * \brief Destroy threshold context hash tables
728  *
729  * \param de_ctx Dectection Context
730  *
731  */
733 {
734  if (de_ctx->ths_ctx.th_entry != NULL) {
735  for (uint32_t i = 0; i < de_ctx->ths_ctx.th_size; i++) {
736  if (de_ctx->ths_ctx.th_entry[i] != NULL) {
738  }
739  }
741  }
743 }
744 
745 /**
746  * \brief this function will free all the entries of a list
747  * DetectTagDataEntry
748  *
749  * \param td pointer to DetectTagDataEntryList
750  */
751 void ThresholdListFree(void *ptr)
752 {
753  if (ptr != NULL) {
754  DetectThresholdEntry *entry = ptr;
755 
756  while (entry != NULL) {
757  DetectThresholdEntry *next_entry = entry->next;
758  SCFree(entry);
759  entry = next_entry;
760  }
761  }
762 }
763 
764 /**
765  * @}
766  */
TRACK_BOTH
#define TRACK_BOTH
Definition: detect-threshold.h:39
DetectThresholdData_::timeout
uint32_t timeout
Definition: detect-threshold.h:60
ThresholdIPPairTimeoutCheck
int ThresholdIPPairTimeoutCheck(IPPair *pair, struct timeval *tv)
Definition: detect-engine-threshold.c:203
IPPairStorageRegister
IPPairStorageId IPPairStorageRegister(const char *name, const unsigned int size, void *(*Alloc)(unsigned int), void(*Free)(void *))
Definition: ippair-storage.c:61
host.h
tm-threads.h
PKT_DROP_REASON_RULES_THRESHOLD
@ PKT_DROP_REASON_RULES_THRESHOLD
Definition: decode.h:408
detect-content.h
ippair.h
detect-engine.h
host-storage.h
SC_ERR_INVALID_VALUE
@ SC_ERR_INVALID_VALUE
Definition: util-error.h:160
detect-engine-siggroup.h
IPPairRelease
void IPPairRelease(IPPair *h)
Definition: ippair.c:521
Signature_::num
SigIntId num
Definition: detect.h:551
ThresholdCtx_::threshold_table_lock
SCMutex threshold_table_lock
Definition: detect.h:731
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
ACTION_REJECT
#define ACTION_REJECT
Definition: action-globals.h:31
DetectAddress_
address structure for use in the detection engine.
Definition: detect.h:130
HostStorageRegister
HostStorageId HostStorageRegister(const char *name, const unsigned int size, void *(*Alloc)(unsigned int), void(*Free)(void *))
Register a Host storage.
Definition: host-storage.c:59
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:296
ThresholdHashAllocate
void ThresholdHashAllocate(DetectEngineCtx *de_ctx)
Allocate threshold context hash tables.
Definition: detect-engine-threshold.c:662
DetectThresholdData_::count
uint32_t count
Definition: detect-threshold.h:55
SigMatchData_::ctx
SigMatchCtx * ctx
Definition: detect.h:326
DETECT_SM_LIST_THRESHOLD
@ DETECT_SM_LIST_THRESHOLD
Definition: detect.h:95
HostRelease
void HostRelease(Host *h)
Definition: host.c:477
util-hash.h
DetectThresholdEntry_::tv1
struct timeval tv1
Definition: detect-threshold.h:75
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:785
HostGetHostFromHash
Host * HostGetHostFromHash(Address *a)
Definition: host.c:502
TYPE_LIMIT
#define TYPE_LIMIT
Definition: detect-threshold.h:28
ThresholdCtx_::th_size
uint32_t th_size
Definition: detect.h:735
TRACK_DST
#define TRACK_DST
Definition: detect-detection-filter.c:43
SCMutexLock
#define SCMutexLock(mut)
Definition: threads-debug.h:117
util-var-name.h
HostGetStorageById
void * HostGetStorageById(Host *h, HostStorageId id)
Get a value from a given Host storage.
Definition: host-storage.c:88
DetectThresholdData_::new_action
uint8_t new_action
Definition: detect-threshold.h:59
DetectThresholdEntry_
Definition: detect-threshold.h:65
TH_ACTION_ALERT
#define TH_ACTION_ALERT
Definition: detect-threshold.h:42
Signature_::sm_arrays
SigMatchData * sm_arrays[DETECT_SM_LIST_MAX]
Definition: detect.h:595
m
SCMutex m
Definition: flow-hash.h:6
IPPairSetStorageById
int IPPairSetStorageById(IPPair *h, IPPairStorageId id, void *ptr)
Definition: ippair-storage.c:40
DetectThresholdEntry_::sid
uint32_t sid
Definition: detect-threshold.h:66
SigMatchData_
Data needed for Match()
Definition: detect.h:323
IPPairStorageId::id
int id
Definition: ippair-storage.h:32
SigMatchData_::type
uint16_t type
Definition: detect.h:324
ThresholdHostHasThreshold
int ThresholdHostHasThreshold(Host *host)
Definition: detect-engine-threshold.c:93
ThresholdHashInit
void ThresholdHashInit(DetectEngineCtx *de_ctx)
Init threshold context hash tables.
Definition: detect-engine-threshold.c:649
DetectAddressLookupInHead
DetectAddress * DetectAddressLookupInHead(const DetectAddressHead *gh, Address *a)
Find the group matching address in a group head.
Definition: detect-engine-address.c:1816
DetectThresholdEntry_::seconds
uint32_t seconds
Definition: detect-threshold.h:71
DetectThresholdData_::type
uint8_t type
Definition: detect-threshold.h:57
Signature_::gid
uint32_t gid
Definition: detect.h:575
Signature_::next
struct Signature_ * next
Definition: detect.h:614
DetectThresholdEntry_::track
int track
Definition: detect-threshold.h:73
DetectThresholdEntry_::tv_timeout
uint32_t tv_timeout
Definition: detect-threshold.h:69
ThresholdIPPairHasThreshold
int ThresholdIPPairHasThreshold(IPPair *pair)
Definition: detect-engine-threshold.c:98
TRACK_RULE
#define TRACK_RULE
Definition: detect-threshold.h:37
util-debug.h
util-error.h
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
TYPE_RATE
#define TYPE_RATE
Definition: detect-threshold.h:32
DetectEngineThreadCtx_
Definition: detect.h:1034
DETECT_THRESHOLD
@ DETECT_THRESHOLD
Definition: detect-engine-register.h:55
SCMutexUnlock
#define SCMutexUnlock(mut)
Definition: threads-debug.h:119
TH_ACTION_PASS
#define TH_ACTION_PASS
Definition: detect-threshold.h:44
SCEnter
#define SCEnter(...)
Definition: util-debug.h:298
detect-engine-mpm.h
detect.h
PACKET_ALERT
#define PACKET_ALERT(p)
Definition: decode.h:912
detect-engine-port.h
util-time.h
IPPairGetIPPairFromHash
IPPair * IPPairGetIPPairFromHash(Address *a, Address *b)
Definition: ippair.c:545
DetectEngineCtx_::ths_ctx
ThresholdCtx ths_ctx
Definition: detect.h:833
TYPE_BOTH
#define TYPE_BOTH
Definition: detect-threshold.h:29
ThresholdCtx_::th_entry
DetectThresholdEntry ** th_entry
Definition: detect.h:734
ThresholdHostStorageId
HostStorageId ThresholdHostStorageId(void)
Definition: detect-engine-threshold.c:74
Packet_
Definition: decode.h:434
TRACK_EITHER
#define TRACK_EITHER
Definition: detect-threshold.h:38
SCReturnPtr
#define SCReturnPtr(x, type)
Definition: util-debug.h:314
ThresholdHostTimeoutCheck
int ThresholdHostTimeoutCheck(Host *host, struct timeval *tv)
Definition: detect-engine-threshold.c:192
ThresholdListFree
void ThresholdListFree(void *ptr)
this function will free all the entries of a list DetectTagDataEntry
Definition: detect-engine-threshold.c:751
PacketAlertThreshold
int PacketAlertThreshold(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectThresholdData *td, Packet *p, const Signature *s, PacketAlert *pa)
Make the threshold logic for signatures.
Definition: detect-engine-threshold.c:604
SCMutexInit
#define SCMutexInit(mut, mutattrs)
Definition: threads-debug.h:116
DetectThresholdData_::track
uint8_t track
Definition: detect-threshold.h:58
PacketAlert_::flags
uint8_t flags
Definition: decode.h:274
DetectThresholdEntry_::current_count
uint32_t current_count
Definition: detect-threshold.h:72
PACKET_ALERT_RATE_FILTER_MODIFIED
#define PACKET_ALERT_RATE_FILTER_MODIFIED
Definition: decode.h:289
TH_ACTION_REJECT
#define TH_ACTION_REJECT
Definition: detect-threshold.h:47
SigMatchData_::is_last
uint8_t is_last
Definition: detect.h:325
Packet_::ts
struct timeval ts
Definition: decode.h:477
suricata-common.h
DetectThresholdData_
Definition: detect-threshold.h:54
IPPair_
Definition: ippair.h:58
TYPE_SUPPRESS
#define TYPE_SUPPRESS
Definition: detect-threshold.h:33
ACTION_DROP
#define ACTION_DROP
Definition: action-globals.h:30
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:255
TH_ACTION_DROP
#define TH_ACTION_DROP
Definition: detect-threshold.h:43
FatalError
#define FatalError(x,...)
Definition: util-debug.h:530
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:791
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:31
SigGetThresholdTypeIter
const DetectThresholdData * SigGetThresholdTypeIter(const Signature *sig, const SigMatchData **psm, int list)
Return next DetectThresholdData for signature.
Definition: detect-engine-threshold.c:112
IPPairGetStorageById
void * IPPairGetStorageById(IPPair *h, IPPairStorageId id)
Definition: ippair-storage.c:35
DetectThresholdEntry_::next
struct DetectThresholdEntry_ * next
Definition: detect-threshold.h:76
detect-engine-sigorder.h
TYPE_THRESHOLD
#define TYPE_THRESHOLD
Definition: detect-threshold.h:30
DetectThresholdEntry_::gid
uint32_t gid
Definition: detect-threshold.h:67
DETECT_DETECTION_FILTER
@ DETECT_DETECTION_FILTER
Definition: detect-engine-register.h:98
HostStorageId_
Definition: host-storage.h:31
head
Flow * head
Definition: flow-hash.h:1
HostStorageId_::id
int id
Definition: host-storage.h:32
SCFree
#define SCFree(p)
Definition: util-mem.h:61
SC_ERR_FATAL
@ SC_ERR_FATAL
Definition: util-error.h:203
Signature_::id
uint32_t id
Definition: detect.h:574
detect-engine-iponly.h
detect-parse.h
src
uint16_t src
Definition: app-layer-dnp3.h:5
Signature_
Signature container.
Definition: detect.h:540
SC_ERR_MEM_ALLOC
@ SC_ERR_MEM_ALLOC
Definition: util-error.h:31
Packet_::dst
Address dst
Definition: decode.h:439
TRACK_SRC
#define TRACK_SRC
Definition: detect-detection-filter.c:44
PacketAlert_
Definition: decode.h:271
detect-uricontent.h
DetectThresholdData_::seconds
uint32_t seconds
Definition: detect-threshold.h:56
dst
uint16_t dst
Definition: app-layer-dnp3.h:4
flow.h
ThresholdContextDestroy
void ThresholdContextDestroy(DetectEngineCtx *de_ctx)
Destroy threshold context hash tables.
Definition: detect-engine-threshold.c:732
ippair-storage.h
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
Host_
Definition: host.h:58
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:302
SCMutexDestroy
#define SCMutexDestroy
Definition: threads-debug.h:120
IPPairStorageId
Definition: ippair-storage.h:31
ThresholdInit
void ThresholdInit(void)
Definition: detect-engine-threshold.c:79
HostSetStorageById
int HostSetStorageById(Host *h, HostStorageId id, void *ptr)
Store a pointer in a given Host storage.
Definition: host-storage.c:75
DETECT_SM_LIST_SUPPRESS
@ DETECT_SM_LIST_SUPPRESS
Definition: detect.h:94
detect-engine-address.h
Packet_::src
Address src
Definition: decode.h:438
detect-engine-threshold.h
TYPE_DETECTION
#define TYPE_DETECTION
Definition: detect-threshold.h:31
DetectThresholdData_::addrs
DetectAddressHead addrs
Definition: detect-threshold.h:62