suricata
detect-engine-threshold.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2021 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \defgroup threshold Thresholding
20  *
21  * This feature is used to reduce the number of logged alerts for noisy rules.
22  * This can be tuned to significantly reduce false alarms, and it can also be
23  * used to write a newer breed of rules. Thresholding commands limit the number
24  * of times a particular event is logged during a specified time interval.
25  *
26  * @{
27  */
28 
29 /**
30  * \file
31  *
32  * \author Breno Silva <breno.silva@gmail.com>
33  * \author Victor Julien <victor@inliniac.net>
34  *
35  * Threshold part of the detection engine.
36  */
37 
38 #include "suricata-common.h"
39 #include "debug.h"
40 #include "detect.h"
41 #include "flow.h"
42 
43 #include "host.h"
44 #include "host-storage.h"
45 
46 #include "ippair.h"
47 #include "ippair-storage.h"
48 
49 #include "detect-parse.h"
50 #include "detect-engine-sigorder.h"
51 
52 #include "detect-engine-siggroup.h"
53 #include "detect-engine-address.h"
54 #include "detect-engine-port.h"
55 #include "detect-engine-mpm.h"
56 #include "detect-engine-iponly.h"
57 
58 #include "detect-engine.h"
60 
61 #include "detect-content.h"
62 #include "detect-uricontent.h"
63 
64 #include "util-hash.h"
65 #include "util-time.h"
66 #include "util-error.h"
67 #include "util-debug.h"
68 
69 #include "util-var-name.h"
70 #include "tm-threads.h"
71 
72 static HostStorageId host_threshold_id = { .id = -1 }; /**< host storage id for thresholds */
73 static IPPairStorageId ippair_threshold_id = { .id = -1 }; /**< ip pair storage id for thresholds */
74 
76 {
77  return host_threshold_id;
78 }
79 
80 void ThresholdInit(void)
81 {
82  host_threshold_id = HostStorageRegister("threshold", sizeof(void *), NULL, ThresholdListFree);
83  if (host_threshold_id.id == -1) {
85  "Can't initiate host storage for thresholding");
86  }
87  ippair_threshold_id = IPPairStorageRegister("threshold", sizeof(void *), NULL, ThresholdListFree);
88  if (ippair_threshold_id.id == -1) {
90  "Can't initiate IP pair storage for thresholding");
91  }
92 }
93 
95 {
96  return HostGetStorageById(host, host_threshold_id) ? 1 : 0;
97 }
98 
100 {
101  return IPPairGetStorageById(pair, ippair_threshold_id) ? 1 : 0;
102 }
103 
104 /**
105  * \brief Return next DetectThresholdData for signature
106  *
107  * \param sig Signature pointer
108  * \param psm Pointer to a Signature Match pointer
109  * \param list List to return data from
110  *
111  * \retval tsh Return the threshold data from signature or NULL if not found
112  */
114  const Signature *sig, const SigMatchData **psm, int list)
115 {
116  const SigMatchData *smd = NULL;
117  const DetectThresholdData *tsh = NULL;
118 
119  if (sig == NULL)
120  return NULL;
121 
122  if (*psm == NULL) {
123  smd = sig->sm_arrays[list];
124  } else {
125  /* Iteration in progress, using provided value */
126  smd = *psm;
127  }
128 
129  while (1) {
130  if (smd->type == DETECT_THRESHOLD || smd->type == DETECT_DETECTION_FILTER) {
131  tsh = (DetectThresholdData *)smd->ctx;
132 
133  if (smd->is_last) {
134  *psm = NULL;
135  } else {
136  *psm = smd + 1;
137  }
138  return tsh;
139  }
140 
141  if (smd->is_last) {
142  break;
143  }
144  smd++;
145  }
146  *psm = NULL;
147  return NULL;
148 }
149 
150 /**
151  * \brief Remove timeout threshold hash elements
152  *
153  * \param head Current head element of storage
154  * \param tv Current time
155  *
156  * \retval DetectThresholdEntry Return new head element or NULL if all expired
157  *
158  */
159 
160 static DetectThresholdEntry* ThresholdTimeoutCheck(DetectThresholdEntry *head, struct timeval *tv)
161 {
162  DetectThresholdEntry *tmp = head;
163  DetectThresholdEntry *prev = NULL;
164  DetectThresholdEntry *new_head = head;
165 
166  while (tmp != NULL) {
167  /* check if the 'check' timestamp is not before the creation ts.
168  * This can happen due to the async nature of the host timeout
169  * code that also calls this code from a management thread. */
170  if (TIMEVAL_EARLIER(*tv, tmp->tv1) || TIMEVAL_DIFF_SEC(*tv, tmp->tv1) <= tmp->seconds) {
171  prev = tmp;
172  tmp = tmp->next;
173  continue;
174  }
175 
176  /* timed out */
177 
178  DetectThresholdEntry *tde = tmp;
179  if (prev != NULL) {
180  prev->next = tmp->next;
181  }
182  else {
183  new_head = tmp->next;
184  }
185  tmp = tde->next;
186  SCFree(tde);
187  }
188 
189  return new_head;
190 }
191 
192 int ThresholdHostTimeoutCheck(Host *host, struct timeval *tv)
193 {
194  DetectThresholdEntry* head = HostGetStorageById(host, host_threshold_id);
195  DetectThresholdEntry* new_head = ThresholdTimeoutCheck(head, tv);
196  if (new_head != head) {
197  HostSetStorageById(host, host_threshold_id, new_head);
198  }
199  return new_head == NULL;
200 }
201 
202 
203 int ThresholdIPPairTimeoutCheck(IPPair *pair, struct timeval *tv)
204 {
205  DetectThresholdEntry* head = IPPairGetStorageById(pair, ippair_threshold_id);
206  DetectThresholdEntry* new_head = ThresholdTimeoutCheck(head, tv);
207  if (new_head != head) {
208  IPPairSetStorageById(pair, ippair_threshold_id, new_head);
209  }
210  return new_head == NULL;
211 }
212 
213 static DetectThresholdEntry *
214 DetectThresholdEntryAlloc(const DetectThresholdData *td, Packet *p,
215  uint32_t sid, uint32_t gid)
216 {
217  SCEnter();
218 
220  if (unlikely(ste == NULL)) {
221  SCReturnPtr(NULL, "DetectThresholdEntry");
222  }
223 
224  ste->sid = sid;
225  ste->gid = gid;
226  ste->track = td->track;
227  ste->seconds = td->seconds;
228 
229  SCReturnPtr(ste, "DetectThresholdEntry");
230 }
231 
232 static DetectThresholdEntry *ThresholdHostLookupEntry(Host *h,
233  uint32_t sid, uint32_t gid)
234 {
236 
237  for (e = HostGetStorageById(h, host_threshold_id); e != NULL; e = e->next) {
238  if (e->sid == sid && e->gid == gid)
239  break;
240  }
241 
242  return e;
243 }
244 
245 static DetectThresholdEntry *ThresholdIPPairLookupEntry(IPPair *pair,
246  uint32_t sid, uint32_t gid)
247 {
249 
250  for (e = IPPairGetStorageById(pair, ippair_threshold_id); e != NULL; e = e->next) {
251  if (e->sid == sid && e->gid == gid)
252  break;
253  }
254 
255  return e;
256 }
257 
258 static int ThresholdHandlePacketSuppress(Packet *p,
259  const DetectThresholdData *td, uint32_t sid, uint32_t gid)
260 {
261  int ret = 0;
262  DetectAddress *m = NULL;
263  switch (td->track) {
264  case TRACK_DST:
265  m = DetectAddressLookupInHead(&td->addrs, &p->dst);
266  SCLogDebug("TRACK_DST");
267  break;
268  case TRACK_SRC:
269  m = DetectAddressLookupInHead(&td->addrs, &p->src);
270  SCLogDebug("TRACK_SRC");
271  break;
272  /* suppress if either src or dst is a match on the suppress
273  * address list */
274  case TRACK_EITHER:
275  m = DetectAddressLookupInHead(&td->addrs, &p->src);
276  if (m == NULL) {
277  m = DetectAddressLookupInHead(&td->addrs, &p->dst);
278  }
279  break;
280  case TRACK_RULE:
281  default:
283  "track mode %d is not supported", td->track);
284  break;
285  }
286  if (m == NULL)
287  ret = 1;
288  else
289  ret = 2; /* suppressed but still need actions */
290 
291  return ret;
292 }
293 
294 static inline void RateFilterSetAction(Packet *p, PacketAlert *pa, uint8_t new_action)
295 {
296  switch (new_action) {
297  case TH_ACTION_ALERT:
298  PACKET_ALERT(p);
300  break;
301  case TH_ACTION_DROP:
302  PACKET_DROP(p);
304  break;
305  case TH_ACTION_REJECT:
306  PACKET_REJECT(p);
308  break;
309  case TH_ACTION_PASS:
310  PACKET_PASS(p);
312  break;
313  default:
314  /* Weird, leave the default action */
315  break;
316  }
317 }
318 
319 /**
320 * \brief Check if the entry reached threshold count limit
321 *
322 * \param lookup_tsh Current threshold entry
323 * \param td Threshold settings
324 * \param packet_time used to compare against previous detection and to set timeouts
325 *
326 * \retval int 1 if threshold reached for this entry
327 *
328 */
329 static int IsThresholdReached(DetectThresholdEntry* lookup_tsh, const DetectThresholdData *td, struct timeval packet_time)
330 {
331  int ret = 0;
332 
333  /* Check if we have a timeout enabled, if so,
334  * we still matching (and enabling the new_action) */
335  if (lookup_tsh->tv_timeout != 0) {
336  if ((packet_time.tv_sec - lookup_tsh->tv_timeout) > td->timeout) {
337  /* Ok, we are done, timeout reached */
338  lookup_tsh->tv_timeout = 0;
339  }
340  else {
341  /* Already matching */
342  ret = 1;
343  } /* else - if ((packet_time - lookup_tsh->tv_timeout) > td->timeout) */
344 
345  }
346  else {
347  /* Update the matching state with the timeout interval */
348  if (TIMEVAL_DIFF_SEC(packet_time, lookup_tsh->tv1) < td->seconds) {
349  lookup_tsh->current_count++;
350  if (lookup_tsh->current_count > td->count) {
351  /* Then we must enable the new action by setting a
352  * timeout */
353  lookup_tsh->tv_timeout = packet_time.tv_sec;
354  ret = 1;
355  }
356  }
357  else {
358  lookup_tsh->tv1 = packet_time;
359  lookup_tsh->current_count = 1;
360  }
361  } /* else - if (lookup_tsh->tv_timeout != 0) */
362 
363  return ret;
364 }
365 
366 static void AddEntryToHostStorage(Host *h, DetectThresholdEntry *e, struct timeval packet_time)
367 {
368  if (h && e) {
369  e->current_count = 1;
370  e->tv1 = packet_time;
371  e->tv_timeout = 0;
372  e->next = HostGetStorageById(h, host_threshold_id);
373  HostSetStorageById(h, host_threshold_id, e);
374  }
375 }
376 
377 static void AddEntryToIPPairStorage(IPPair *pair, DetectThresholdEntry *e, struct timeval packet_time)
378 {
379  if (pair && e) {
380  e->current_count = 1;
381  e->tv1 = packet_time;
382  e->tv_timeout = 0;
383  e->next = IPPairGetStorageById(pair, ippair_threshold_id);
384  IPPairSetStorageById(pair, ippair_threshold_id, e);
385  }
386 }
387 
388 /**
389  * \retval 2 silent match (no alert but apply actions)
390  * \retval 1 normal match
391  * \retval 0 no match
392  *
393  * If a new DetectThresholdEntry is generated to track the threshold
394  * for this rule, then it will be returned in new_tsh.
395  */
396 static int ThresholdHandlePacket(Packet *p, DetectThresholdEntry *lookup_tsh,
397  DetectThresholdEntry **new_tsh, const DetectThresholdData *td,
398  uint32_t sid, uint32_t gid, PacketAlert *pa)
399 {
400  int ret = 0;
401 
402  switch(td->type) {
403  case TYPE_LIMIT:
404  {
405  SCLogDebug("limit");
406 
407  if (lookup_tsh != NULL) {
408  if (TIMEVAL_DIFF_SEC(p->ts, lookup_tsh->tv1) < td->seconds) {
409  lookup_tsh->current_count++;
410 
411  if (lookup_tsh->current_count <= td->count) {
412  ret = 1;
413  } else {
414  ret = 2;
415  }
416  } else {
417  lookup_tsh->tv1 = p->ts;
418  lookup_tsh->current_count = 1;
419 
420  ret = 1;
421  }
422  } else {
423  *new_tsh = DetectThresholdEntryAlloc(td, p, sid, gid);
424 
425  ret = 1;
426  }
427  break;
428  }
429  case TYPE_THRESHOLD:
430  {
431  SCLogDebug("threshold");
432 
433  if (lookup_tsh != NULL) {
434  if (TIMEVAL_DIFF_SEC(p->ts, lookup_tsh->tv1) < td->seconds) {
435  lookup_tsh->current_count++;
436 
437  if (lookup_tsh->current_count >= td->count) {
438  ret = 1;
439  lookup_tsh->current_count = 0;
440  }
441  } else {
442  lookup_tsh->tv1 = p->ts;
443  lookup_tsh->current_count = 1;
444  }
445  } else {
446  if (td->count == 1) {
447  ret = 1;
448  } else {
449  *new_tsh = DetectThresholdEntryAlloc(td, p, sid, gid);
450  }
451  }
452  break;
453  }
454  case TYPE_BOTH:
455  {
456  SCLogDebug("both");
457 
458  if (lookup_tsh != NULL) {
459  if (TIMEVAL_DIFF_SEC(p->ts, lookup_tsh->tv1) < td->seconds) {
460  /* within time limit */
461 
462  lookup_tsh->current_count++;
463  if (lookup_tsh->current_count == td->count) {
464  ret = 1;
465  } else if (lookup_tsh->current_count > td->count) {
466  /* silent match */
467  ret = 2;
468  }
469  } else {
470  /* expired, so reset */
471  lookup_tsh->tv1 = p->ts;
472  lookup_tsh->current_count = 1;
473 
474  /* if we have a limit of 1, this is a match */
475  if (lookup_tsh->current_count == td->count) {
476  ret = 1;
477  }
478  }
479  } else {
480  *new_tsh = DetectThresholdEntryAlloc(td, p, sid, gid);
481 
482  /* for the first match we return 1 to
483  * indicate we should alert */
484  if (td->count == 1) {
485  ret = 1;
486  }
487  }
488  break;
489  }
490  /* detection_filter */
491  case TYPE_DETECTION:
492  {
493  SCLogDebug("detection_filter");
494 
495  if (lookup_tsh != NULL) {
496  if (TIMEVAL_DIFF_SEC(p->ts, lookup_tsh->tv1) < td->seconds) {
497  /* within timeout */
498  lookup_tsh->current_count++;
499  if (lookup_tsh->current_count > td->count) {
500  ret = 1;
501  }
502  } else {
503  /* expired, reset */
504  lookup_tsh->tv1 = p->ts;
505  lookup_tsh->current_count = 1;
506  }
507  } else {
508  *new_tsh = DetectThresholdEntryAlloc(td, p, sid, gid);
509  }
510  break;
511  }
512  /* rate_filter */
513  case TYPE_RATE:
514  {
515  SCLogDebug("rate_filter");
516  ret = 1;
517  if (lookup_tsh && IsThresholdReached(lookup_tsh, td, p->ts)) {
518  RateFilterSetAction(p, pa, td->new_action);
519  } else if (!lookup_tsh) {
520  *new_tsh = DetectThresholdEntryAlloc(td, p, sid, gid);
521  }
522  break;
523  }
524  /* case TYPE_SUPPRESS: is not handled here */
525  default:
526  SCLogError(SC_ERR_INVALID_VALUE, "type %d is not supported", td->type);
527  }
528  return ret;
529 }
530 
531 static int ThresholdHandlePacketIPPair(IPPair *pair, Packet *p, const DetectThresholdData *td,
532  uint32_t sid, uint32_t gid, PacketAlert *pa)
533 {
534  int ret = 0;
535 
536  DetectThresholdEntry *lookup_tsh = ThresholdIPPairLookupEntry(pair, sid, gid);
537  SCLogDebug("ippair lookup_tsh %p sid %u gid %u", lookup_tsh, sid, gid);
538 
539  DetectThresholdEntry *new_tsh = NULL;
540  ret = ThresholdHandlePacket(p, lookup_tsh, &new_tsh, td, sid, gid, pa);
541  if (new_tsh != NULL) {
542  AddEntryToIPPairStorage(pair, new_tsh, p->ts);
543  }
544 
545  return ret;
546 }
547 
548 /**
549  * \retval 2 silent match (no alert but apply actions)
550  * \retval 1 normal match
551  * \retval 0 no match
552  */
553 static int ThresholdHandlePacketHost(Host *h, Packet *p, const DetectThresholdData *td,
554  uint32_t sid, uint32_t gid, PacketAlert *pa)
555 {
556  int ret = 0;
557  DetectThresholdEntry *lookup_tsh = ThresholdHostLookupEntry(h, sid, gid);
558  SCLogDebug("lookup_tsh %p sid %u gid %u", lookup_tsh, sid, gid);
559 
560  DetectThresholdEntry *new_tsh = NULL;
561  ret = ThresholdHandlePacket(p, lookup_tsh, &new_tsh, td, sid, gid, pa);
562  if (new_tsh != NULL) {
563  AddEntryToHostStorage(h, new_tsh, p->ts);
564  }
565  return ret;
566 }
567 
568 static int ThresholdHandlePacketRule(DetectEngineCtx *de_ctx, Packet *p,
569  const DetectThresholdData *td, const Signature *s, PacketAlert *pa)
570 {
571  int ret = 0;
572 
574  SCLogDebug("by_rule lookup_tsh %p num %u", lookup_tsh, s->num);
575 
576  DetectThresholdEntry *new_tsh = NULL;
577  ret = ThresholdHandlePacket(p, lookup_tsh, &new_tsh, td, s->id, s->gid, pa);
578  if (new_tsh != NULL) {
579  new_tsh->tv1 = p->ts;
580  new_tsh->current_count = 1;
581  new_tsh->tv_timeout = 0;
582  de_ctx->ths_ctx.th_entry[s->num] = new_tsh;
583  }
584 
585  return ret;
586 }
587 
588 /**
589  * \brief Make the threshold logic for signatures
590  *
591  * \param de_ctx Dectection Context
592  * \param tsh_ptr Threshold element
593  * \param p Packet structure
594  * \param s Signature structure
595  *
596  * \retval 2 silent match (no alert but apply actions)
597  * \retval 1 alert on this event
598  * \retval 0 do not alert on this event
599  */
601  const DetectThresholdData *td, Packet *p, const Signature *s, PacketAlert *pa)
602 {
603  SCEnter();
604 
605  int ret = 0;
606  if (td == NULL) {
607  SCReturnInt(0);
608  }
609 
610  if (td->type == TYPE_SUPPRESS) {
611  ret = ThresholdHandlePacketSuppress(p,td,s->id,s->gid);
612  } else if (td->track == TRACK_SRC) {
614  if (src) {
615  ret = ThresholdHandlePacketHost(src,p,td,s->id,s->gid,pa);
616  HostRelease(src);
617  }
618  } else if (td->track == TRACK_DST) {
620  if (dst) {
621  ret = ThresholdHandlePacketHost(dst,p,td,s->id,s->gid,pa);
622  HostRelease(dst);
623  }
624  } else if (td->track == TRACK_BOTH) {
625  IPPair *pair = IPPairGetIPPairFromHash(&p->src, &p->dst);
626  if (pair) {
627  ret = ThresholdHandlePacketIPPair(pair, p, td, s->id, s->gid, pa);
628  IPPairRelease(pair);
629  }
630  } else if (td->track == TRACK_RULE) {
632  ret = ThresholdHandlePacketRule(de_ctx,p,td,s,pa);
634  }
635 
636  SCReturnInt(ret);
637 }
638 
639 /**
640  * \brief Init threshold context hash tables
641  *
642  * \param de_ctx Dectection Context
643  *
644  */
646 {
647  if (SCMutexInit(&de_ctx->ths_ctx.threshold_table_lock, NULL) != 0) {
649  "Threshold: Failed to initialize hash table mutex.");
650  }
651 }
652 
653 /**
654  * \brief Allocate threshold context hash tables
655  *
656  * \param de_ctx Detection Context
657  */
659 {
660  Signature *s = de_ctx->sig_list;
661  bool has_by_rule_tracking = false;
662  const DetectThresholdData *td = NULL;
663  const SigMatchData *smd;
664 
665  /* Find the signature with the highest signature number that is using
666  thresholding with by_rule tracking. */
667  uint32_t highest_signum = 0;
668  while (s != NULL) {
669  if (s->sm_arrays[DETECT_SM_LIST_SUPPRESS] != NULL) {
670  smd = NULL;
671  do {
673  if (td == NULL) {
674  continue;
675  }
676  if (td->track != TRACK_RULE) {
677  continue;
678  }
679  if (s->num >= highest_signum) {
680  highest_signum = s->num;
681  has_by_rule_tracking = true;
682  }
683  } while (smd != NULL);
684  }
685 
686  if (s->sm_arrays[DETECT_SM_LIST_THRESHOLD] != NULL) {
687  smd = NULL;
688  do {
690  if (td == NULL) {
691  continue;
692  }
693  if (td->track != TRACK_RULE) {
694  continue;
695  }
696  if (s->num >= highest_signum) {
697  highest_signum = s->num;
698  has_by_rule_tracking = true;
699  }
700  } while (smd != NULL);
701  }
702 
703  s = s->next;
704  }
705 
706  /* Skip allocating if by_rule tracking is not used */
707  if (has_by_rule_tracking == false) {
708  return;
709  }
710 
711  de_ctx->ths_ctx.th_size = highest_signum + 1;
713  if (de_ctx->ths_ctx.th_entry == NULL) {
715  "Error allocating memory for rule "
716  "thresholds (tried to allocate %" PRIu32 " th_entrys for "
717  "rule tracking)",
719  }
720 }
721 
722 /**
723  * \brief Destroy threshold context hash tables
724  *
725  * \param de_ctx Dectection Context
726  *
727  */
729 {
730  if (de_ctx->ths_ctx.th_entry != NULL)
733 }
734 
735 /**
736  * \brief this function will free all the entries of a list
737  * DetectTagDataEntry
738  *
739  * \param td pointer to DetectTagDataEntryList
740  */
741 void ThresholdListFree(void *ptr)
742 {
743  if (ptr != NULL) {
744  DetectThresholdEntry *entry = ptr;
745 
746  while (entry != NULL) {
747  DetectThresholdEntry *next_entry = entry->next;
748  SCFree(entry);
749  entry = next_entry;
750  }
751  }
752 }
753 
754 /**
755  * @}
756  */
TRACK_BOTH
#define TRACK_BOTH
Definition: detect-threshold.h:42
DetectThresholdData_::timeout
uint32_t timeout
Definition: detect-threshold.h:63
ThresholdIPPairTimeoutCheck
int ThresholdIPPairTimeoutCheck(IPPair *pair, struct timeval *tv)
Definition: detect-engine-threshold.c:203
IPPairStorageRegister
IPPairStorageId IPPairStorageRegister(const char *name, const unsigned int size, void *(*Alloc)(unsigned int), void(*Free)(void *))
Definition: ippair-storage.c:61
host.h
tm-threads.h
detect-content.h
ippair.h
detect-engine.h
host-storage.h
SC_ERR_INVALID_VALUE
@ SC_ERR_INVALID_VALUE
Definition: util-error.h:160
detect-engine-siggroup.h
IPPairRelease
void IPPairRelease(IPPair *h)
Definition: ippair.c:518
Signature_::num
SigIntId num
Definition: detect.h:527
ThresholdCtx_::threshold_table_lock
SCMutex threshold_table_lock
Definition: detect.h:703
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
DetectAddress_
address structure for use in the detection engine.
Definition: detect.h:139
HostStorageRegister
HostStorageId HostStorageRegister(const char *name, const unsigned int size, void *(*Alloc)(unsigned int), void(*Free)(void *))
Register a Host storage.
Definition: host-storage.c:59
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
ThresholdHashAllocate
void ThresholdHashAllocate(DetectEngineCtx *de_ctx)
Allocate threshold context hash tables.
Definition: detect-engine-threshold.c:658
PACKET_REJECT
#define PACKET_REJECT(p)
Definition: decode.h:879
DetectThresholdData_::count
uint32_t count
Definition: detect-threshold.h:58
SigMatchData_::ctx
SigMatchCtx * ctx
Definition: detect.h:332
DETECT_SM_LIST_THRESHOLD
@ DETECT_SM_LIST_THRESHOLD
Definition: detect.h:104
TIMEVAL_DIFF_SEC
#define TIMEVAL_DIFF_SEC(tv_new, tv_old)
compare two 'struct timeval' and return the difference in seconds
Definition: util-time.h:37
HostRelease
void HostRelease(Host *h)
Definition: host.c:477
util-hash.h
DetectThresholdEntry_::tv1
struct timeval tv1
Definition: detect-threshold.h:78
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:757
HostGetHostFromHash
Host * HostGetHostFromHash(Address *a)
Definition: host.c:502
TYPE_LIMIT
#define TYPE_LIMIT
Definition: detect-threshold.h:31
ThresholdCtx_::th_size
uint32_t th_size
Definition: detect.h:707
TIMEVAL_EARLIER
#define TIMEVAL_EARLIER(tv_first, tv_second)
compare two 'struct timeval' and return if the first is earlier than the second
Definition: util-time.h:43
TRACK_DST
#define TRACK_DST
Definition: detect-detection-filter.c:43
SCMutexLock
#define SCMutexLock(mut)
Definition: threads-debug.h:117
util-var-name.h
HostGetStorageById
void * HostGetStorageById(Host *h, HostStorageId id)
Get a value from a given Host storage.
Definition: host-storage.c:88
DetectThresholdData_::new_action
uint8_t new_action
Definition: detect-threshold.h:62
DetectThresholdEntry_
Definition: detect-threshold.h:68
TH_ACTION_ALERT
#define TH_ACTION_ALERT
Definition: detect-threshold.h:45
Signature_::sm_arrays
SigMatchData * sm_arrays[DETECT_SM_LIST_MAX]
Definition: detect.h:570
m
SCMutex m
Definition: flow-hash.h:6
IPPairSetStorageById
int IPPairSetStorageById(IPPair *h, IPPairStorageId id, void *ptr)
Definition: ippair-storage.c:40
DetectThresholdEntry_::sid
uint32_t sid
Definition: detect-threshold.h:69
SigMatchData_
Data needed for Match()
Definition: detect.h:329
IPPairStorageId::id
int id
Definition: ippair-storage.h:33
ThresholdHostHasThreshold
int ThresholdHostHasThreshold(Host *host)
Definition: detect-engine-threshold.c:94
ThresholdHashInit
void ThresholdHashInit(DetectEngineCtx *de_ctx)
Init threshold context hash tables.
Definition: detect-engine-threshold.c:645
DetectAddressLookupInHead
DetectAddress * DetectAddressLookupInHead(const DetectAddressHead *gh, Address *a)
Find the group matching address in a group head.
Definition: detect-engine-address.c:1852
DetectThresholdEntry_::seconds
uint32_t seconds
Definition: detect-threshold.h:74
DetectThresholdData_::type
uint8_t type
Definition: detect-threshold.h:60
Signature_::gid
uint32_t gid
Definition: detect.h:551
Signature_::next
struct Signature_ * next
Definition: detect.h:589
DetectThresholdEntry_::track
int track
Definition: detect-threshold.h:76
DetectThresholdEntry_::tv_timeout
uint32_t tv_timeout
Definition: detect-threshold.h:72
ThresholdIPPairHasThreshold
int ThresholdIPPairHasThreshold(IPPair *pair)
Definition: detect-engine-threshold.c:99
TRACK_RULE
#define TRACK_RULE
Definition: detect-threshold.h:40
util-debug.h
util-error.h
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
TYPE_RATE
#define TYPE_RATE
Definition: detect-threshold.h:35
DetectEngineThreadCtx_
Definition: detect.h:1001
DETECT_THRESHOLD
@ DETECT_THRESHOLD
Definition: detect-engine-register.h:55
PACKET_PASS
#define PACKET_PASS(p)
Definition: decode.h:885
SCMutexUnlock
#define SCMutexUnlock(mut)
Definition: threads-debug.h:119
TH_ACTION_PASS
#define TH_ACTION_PASS
Definition: detect-threshold.h:47
SCEnter
#define SCEnter(...)
Definition: util-debug.h:300
detect-engine-mpm.h
detect.h
PACKET_ALERT
#define PACKET_ALERT(p)
Definition: decode.h:873
SigMatchData_::type
uint8_t type
Definition: detect.h:330
detect-engine-port.h
util-time.h
IPPairGetIPPairFromHash
IPPair * IPPairGetIPPairFromHash(Address *a, Address *b)
Definition: ippair.c:542
DetectEngineCtx_::ths_ctx
ThresholdCtx ths_ctx
Definition: detect.h:804
TYPE_BOTH
#define TYPE_BOTH
Definition: detect-threshold.h:32
ThresholdCtx_::th_entry
DetectThresholdEntry ** th_entry
Definition: detect.h:706
ThresholdHostStorageId
HostStorageId ThresholdHostStorageId(void)
Definition: detect-engine-threshold.c:75
Packet_
Definition: decode.h:416
TRACK_EITHER
#define TRACK_EITHER
Definition: detect-threshold.h:41
SCReturnPtr
#define SCReturnPtr(x, type)
Definition: util-debug.h:316
ThresholdHostTimeoutCheck
int ThresholdHostTimeoutCheck(Host *host, struct timeval *tv)
Definition: detect-engine-threshold.c:192
ThresholdListFree
void ThresholdListFree(void *ptr)
this function will free all the entries of a list DetectTagDataEntry
Definition: detect-engine-threshold.c:741
PacketAlertThreshold
int PacketAlertThreshold(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectThresholdData *td, Packet *p, const Signature *s, PacketAlert *pa)
Make the threshold logic for signatures.
Definition: detect-engine-threshold.c:600
SCMutexInit
#define SCMutexInit(mut, mutattrs)
Definition: threads-debug.h:116
DetectThresholdData_::track
uint8_t track
Definition: detect-threshold.h:61
PacketAlert_::flags
uint8_t flags
Definition: decode.h:280
DetectThresholdEntry_::current_count
uint32_t current_count
Definition: detect-threshold.h:75
PACKET_ALERT_RATE_FILTER_MODIFIED
#define PACKET_ALERT_RATE_FILTER_MODIFIED
Definition: decode.h:296
TH_ACTION_REJECT
#define TH_ACTION_REJECT
Definition: detect-threshold.h:50
SigMatchData_::is_last
uint8_t is_last
Definition: detect.h:331
Packet_::ts
struct timeval ts
Definition: decode.h:459
suricata-common.h
DetectThresholdData_
Definition: detect-threshold.h:57
IPPair_
Definition: ippair.h:58
TYPE_SUPPRESS
#define TYPE_SUPPRESS
Definition: detect-threshold.h:36
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:257
TH_ACTION_DROP
#define TH_ACTION_DROP
Definition: detect-threshold.h:46
FatalError
#define FatalError(x,...)
Definition: util-debug.h:532
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:763
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:29
SigGetThresholdTypeIter
const DetectThresholdData * SigGetThresholdTypeIter(const Signature *sig, const SigMatchData **psm, int list)
Return next DetectThresholdData for signature.
Definition: detect-engine-threshold.c:113
IPPairGetStorageById
void * IPPairGetStorageById(IPPair *h, IPPairStorageId id)
Definition: ippair-storage.c:35
DetectThresholdEntry_::next
struct DetectThresholdEntry_ * next
Definition: detect-threshold.h:79
detect-engine-sigorder.h
TYPE_THRESHOLD
#define TYPE_THRESHOLD
Definition: detect-threshold.h:33
DetectThresholdEntry_::gid
uint32_t gid
Definition: detect-threshold.h:70
DETECT_DETECTION_FILTER
@ DETECT_DETECTION_FILTER
Definition: detect-engine-register.h:98
HostStorageId_
Definition: host-storage.h:32
head
Flow * head
Definition: flow-hash.h:1
HostStorageId_::id
int id
Definition: host-storage.h:33
SCFree
#define SCFree(p)
Definition: util-mem.h:61
PACKET_DROP
#define PACKET_DROP(p)
Definition: decode.h:877
SC_ERR_FATAL
@ SC_ERR_FATAL
Definition: util-error.h:203
Signature_::id
uint32_t id
Definition: detect.h:550
detect-engine-iponly.h
detect-parse.h
src
uint16_t src
Definition: app-layer-dnp3.h:5
Signature_
Signature container.
Definition: detect.h:517
SC_ERR_MEM_ALLOC
@ SC_ERR_MEM_ALLOC
Definition: util-error.h:31
Packet_::dst
Address dst
Definition: decode.h:421
TRACK_SRC
#define TRACK_SRC
Definition: detect-detection-filter.c:44
PacketAlert_
Definition: decode.h:277
detect-uricontent.h
DetectThresholdData_::seconds
uint32_t seconds
Definition: detect-threshold.h:59
dst
uint16_t dst
Definition: app-layer-dnp3.h:4
flow.h
ThresholdContextDestroy
void ThresholdContextDestroy(DetectEngineCtx *de_ctx)
Destroy threshold context hash tables.
Definition: detect-engine-threshold.c:728
ippair-storage.h
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
Host_
Definition: host.h:58
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:304
SCMutexDestroy
#define SCMutexDestroy
Definition: threads-debug.h:120
IPPairStorageId
Definition: ippair-storage.h:32
ThresholdInit
void ThresholdInit(void)
Definition: detect-engine-threshold.c:80
HostSetStorageById
int HostSetStorageById(Host *h, HostStorageId id, void *ptr)
Store a pointer in a given Host storage.
Definition: host-storage.c:75
DETECT_SM_LIST_SUPPRESS
@ DETECT_SM_LIST_SUPPRESS
Definition: detect.h:103
detect-engine-address.h
Packet_::src
Address src
Definition: decode.h:420
debug.h
detect-engine-threshold.h
TYPE_DETECTION
#define TYPE_DETECTION
Definition: detect-threshold.h:34
DetectThresholdData_::addrs
DetectAddressHead addrs
Definition: detect-threshold.h:65