suricata
detect-threshold.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2021 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \ingroup threshold
20  * @{
21  */
22 
23 /**
24  * \file
25  *
26  * \author Breno Silva <breno.silva@gmail.com>
27  * \author Victor Julien <victor@inliniac.net>
28  *
29  * Implements the threshold keyword.
30  *
31  * The feature depends on what is provided
32  * by detect-engine-threshold.c and util-threshold-config.c
33  */
34 
35 #include "suricata-common.h"
36 #include "suricata.h"
37 #include "decode.h"
38 
39 #include "host.h"
40 #include "host-storage.h"
41 
42 #include "detect.h"
43 #include "detect-parse.h"
44 
45 #include "flow-var.h"
46 #include "decode-events.h"
47 #include "stream-tcp.h"
48 
49 #include "detect-threshold.h"
50 #include "detect-engine-threshold.h"
51 #include "detect-engine-address.h"
52 #include "detect-engine-build.h"
53 
54 #include "util-unittest.h"
55 #include "util-unittest-helper.h"
56 #include "util-byte.h"
57 #include "util-debug.h"
58 
59 #ifdef UNITTESTS
60 #include "util-cpu.h"
61 #endif
62 
63 #define PARSE_REGEX "^\\s*(track|type|count|seconds)\\s+(limit|both|threshold|by_dst|by_src|by_both|by_rule|\\d+)\\s*,\\s*(track|type|count|seconds)\\s+(limit|both|threshold|by_dst|by_src|by_both|by_rule|\\d+)\\s*,\\s*(track|type|count|seconds)\\s+(limit|both|threshold|by_dst|by_src|by_both|by_rule|\\d+)\\s*,\\s*(track|type|count|seconds)\\s+(limit|both|threshold|by_dst|by_src|by_both|by_rule|\\d+)\\s*"
64 
65 static DetectParseRegex parse_regex;
66 
67 static int DetectThresholdMatch(DetectEngineThreadCtx *, Packet *,
68  const Signature *, const SigMatchCtx *);
69 static int DetectThresholdSetup(DetectEngineCtx *, Signature *, const char *);
70 static void DetectThresholdFree(DetectEngineCtx *, void *);
71 #ifdef UNITTESTS
72 static void ThresholdRegisterTests(void);
73 #endif
74 
75 /**
76  * \brief Registration function for threshold: keyword
77  */
78 
79 void DetectThresholdRegister(void)
80 {
81  sigmatch_table[DETECT_THRESHOLD].name = "threshold";
82  sigmatch_table[DETECT_THRESHOLD].desc = "control the rule's alert frequency";
83  sigmatch_table[DETECT_THRESHOLD].url = "/rules/thresholding.html#threshold";
84  sigmatch_table[DETECT_THRESHOLD].Match = DetectThresholdMatch;
85  sigmatch_table[DETECT_THRESHOLD].Setup = DetectThresholdSetup;
86  sigmatch_table[DETECT_THRESHOLD].Free = DetectThresholdFree;
87 #ifdef UNITTESTS
88  sigmatch_table[DETECT_THRESHOLD].RegisterTests = ThresholdRegisterTests;
89 #endif
90  /* this is compatible to ip-only signatures */
91  sigmatch_table[DETECT_THRESHOLD].flags |= SIGMATCH_IPONLY_COMPAT;
92 
93  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
94 }
95 
96 static int DetectThresholdMatch(DetectEngineThreadCtx *det_ctx, Packet *p,
97  const Signature *s, const SigMatchCtx *ctx)
98 {
99  return 1;
100 }
101 
102 /**
103  * \internal
104  * \brief This function is used to parse threshold options passed via threshold: keyword
105  *
106  * \param rawstr Pointer to the user provided threshold options
107  *
108  * \retval de pointer to DetectThresholdData on success
109  * \retval NULL on failure
110  */
111 static DetectThresholdData *DetectThresholdParse(const char *rawstr)
112 {
113  DetectThresholdData *de = NULL;
114  int ret = 0, res = 0;
115  size_t pcre2_len;
116  const char *str_ptr = NULL;
117  char *args[9] = { NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL };
118  char *copy_str = NULL, *threshold_opt = NULL;
119  int second_found = 0, count_found = 0;
120  int type_found = 0, track_found = 0;
121  int second_pos = 0, count_pos = 0;
122  size_t pos = 0;
123  int i = 0;
124  pcre2_match_data *match = NULL;
125 
126  copy_str = SCStrdup(rawstr);
127  if (unlikely(copy_str == NULL)) {
128  goto error;
129  }
130 
131  char *saveptr = NULL;
132  for (pos = 0, threshold_opt = strtok_r(copy_str,",", &saveptr);
133  pos < strlen(copy_str) && threshold_opt != NULL;
134  pos++, threshold_opt = strtok_r(NULL,"," , &saveptr))
135  {
136  if(strstr(threshold_opt,"count"))
137  count_found++;
138  if(strstr(threshold_opt,"second"))
139  second_found++;
140  if(strstr(threshold_opt,"type"))
141  type_found++;
142  if(strstr(threshold_opt,"track"))
143  track_found++;
144  }
145  SCFree(copy_str);
146  copy_str = NULL;
147 
148  if(count_found != 1 || second_found != 1 || type_found != 1 || track_found != 1)
149  goto error;
150 
151  ret = DetectParsePcreExec(&parse_regex, &match, rawstr, 0, 0);
152  if (ret < 5) {
153  SCLogError("pcre_exec parse error, ret %" PRId32 ", string %s", ret, rawstr);
154  goto error;
155  }
156 
157  de = SCCalloc(1, sizeof(DetectThresholdData));
158  if (unlikely(de == NULL))
159  goto error;
160 
161  for (i = 0; i < (ret - 1); i++) {
162 
163  res = pcre2_substring_get_bynumber(match, i + 1, (PCRE2_UCHAR8 **)&str_ptr, &pcre2_len);
164 
165  if (res < 0) {
166  SCLogError("pcre2_substring_get_bynumber failed");
167  goto error;
168  }
169 
170  args[i] = (char *)str_ptr;
171 
172  if (strncasecmp(args[i],"limit",strlen("limit")) == 0)
173  de->type = TYPE_LIMIT;
174  if (strncasecmp(args[i],"both",strlen("both")) == 0)
175  de->type = TYPE_BOTH;
176  if (strncasecmp(args[i],"threshold",strlen("threshold")) == 0)
177  de->type = TYPE_THRESHOLD;
178  if (strncasecmp(args[i],"by_dst",strlen("by_dst")) == 0)
179  de->track = TRACK_DST;
180  if (strncasecmp(args[i],"by_src",strlen("by_src")) == 0)
181  de->track = TRACK_SRC;
182  if (strncasecmp(args[i],"by_both",strlen("by_both")) == 0)
183  de->track = TRACK_BOTH;
184  if (strncasecmp(args[i],"by_rule",strlen("by_rule")) == 0)
185  de->track = TRACK_RULE;
186  if (strncasecmp(args[i],"count",strlen("count")) == 0)
187  count_pos = i+1;
188  if (strncasecmp(args[i],"seconds",strlen("seconds")) == 0)
189  second_pos = i+1;
190  }
191 
192  if (args[count_pos] == NULL || args[second_pos] == NULL) {
193  goto error;
194  }
195 
196  if (StringParseUint32(&de->count, 10, strlen(args[count_pos]),
197  args[count_pos]) <= 0) {
198  goto error;
199  }
200 
201  if (StringParseUint32(&de->seconds, 10, strlen(args[second_pos]),
202  args[second_pos]) <= 0) {
203  goto error;
204  }
205 
206  for (i = 0; i < (ret - 1); i++){
207  if (args[i] != NULL)
208  pcre2_substring_free((PCRE2_UCHAR8 *)args[i]);
209  }
210  pcre2_match_data_free(match);
211  return de;
212 
213 error:
214  if (match) {
215  pcre2_match_data_free(match);
216  }
217  for (i = 0; i < (ret - 1); i++){
218  if (args[i] != NULL)
219  pcre2_substring_free((PCRE2_UCHAR8 *)args[i]);
220  }
221  if (de != NULL)
222  SCFree(de);
223  return NULL;
224 }
225 
226 /**
227  * \internal
228  * \brief this function is used to add the parsed threshold into the current signature
229  *
230  * \param de_ctx pointer to the Detection Engine Context
231  * \param s pointer to the Current Signature
232  * \param rawstr pointer to the user provided threshold options
233  *
234  * \retval 0 on Success
235  * \retval -1 on Failure
236  */
237 static int DetectThresholdSetup(DetectEngineCtx *de_ctx, Signature *s, const char *rawstr)
238 {
239  DetectThresholdData *de = NULL;
240  SigMatch *tmpm = NULL;
241 
242  /* checks if there is a previous instance of detection_filter */
243  tmpm = DetectGetLastSMFromLists(s, DETECT_THRESHOLD, DETECT_DETECTION_FILTER, -1);
244  if (tmpm != NULL) {
245  if (tmpm->type == DETECT_DETECTION_FILTER) {
246  SCLogError("\"detection_filter\" and "
247  "\"threshold\" are not allowed in the same rule");
248  } else {
249  SCLogError("multiple \"threshold\" "
250  "options are not allowed in the same rule");
251  }
252  SCReturnInt(-1);
253  }
254 
255  de = DetectThresholdParse(rawstr);
256  if (de == NULL)
257  goto error;
258 
259  if (SigMatchAppendSMToList(
260  de_ctx, s, DETECT_THRESHOLD, (SigMatchCtx *)de, DETECT_SM_LIST_THRESHOLD) == NULL) {
261  goto error;
262  }
263 
264  return 0;
265 
266 error:
267  if (de)
268  SCFree(de);
269  return -1;
270 }
271 
272 /**
273  * \internal
274  * \brief this function will free memory associated with DetectThresholdData
275  *
276  * \param de pointer to DetectThresholdData
277  */
278 static void DetectThresholdFree(DetectEngineCtx *de_ctx, void *de_ptr)
279 {
280  DetectThresholdData *de = (DetectThresholdData *)de_ptr;
281  if (de) {
282  DetectAddressHeadCleanup(&de->addrs);
283  SCFree(de);
284  }
285 }
286 
287 /**
288  * \brief Make a deep-copy of an extant DetectTHresholdData object.
289  *
290  * \param de pointer to DetectThresholdData
291  */
292 DetectThresholdData *DetectThresholdDataCopy(DetectThresholdData *de)
293 {
294  DetectThresholdData *new_de = SCCalloc(1, sizeof(DetectThresholdData));
295  if (unlikely(new_de == NULL))
296  return NULL;
297 
298  *new_de = *de;
299  new_de->addrs.ipv4_head = NULL;
300  new_de->addrs.ipv6_head = NULL;
301 
302  for (DetectAddress *last = NULL, *tmp_ad = de->addrs.ipv4_head; tmp_ad; tmp_ad = tmp_ad->next) {
303  DetectAddress *n_addr = DetectAddressCopy(tmp_ad);
304  if (n_addr == NULL)
305  goto error;
306  if (last == NULL) {
307  new_de->addrs.ipv4_head = n_addr;
308  } else {
309  last->next = n_addr;
310  n_addr->prev = last;
311  }
312  last = n_addr;
313  }
314  for (DetectAddress *last = NULL, *tmp_ad = de->addrs.ipv6_head; tmp_ad; tmp_ad = tmp_ad->next) {
315  DetectAddress *n_addr = DetectAddressCopy(tmp_ad);
316  if (n_addr == NULL)
317  goto error;
318  if (last == NULL) {
319  new_de->addrs.ipv6_head = n_addr;
320  } else {
321  last->next = n_addr;
322  n_addr->prev = last;
323  }
324  last = n_addr;
325  }
326 
327  return new_de;
328 
329 error:
330  DetectThresholdFree(NULL, new_de);
331  return NULL;
332 }
333 
334 /*
335  * ONLY TESTS BELOW THIS COMMENT
336  */
337 #ifdef UNITTESTS
338 #include "detect-engine.h"
339 #include "detect-engine-mpm.h"
340 #include "detect-engine-alert.h"
341 #include "util-time.h"
342 #include "util-hashlist.h"
343 #include "packet.h"
344 #include "action-globals.h"
345 /**
346  * \test ThresholdTestParse01 is a test for a valid threshold options
347  *
348  * \retval 1 on success
349  * \retval 0 on failure
350  */
351 static int ThresholdTestParse01(void)
352 {
353  DetectThresholdData *de = NULL;
354  de = DetectThresholdParse("type limit,track by_dst,count 10,seconds 60");
355  if (de && (de->type == TYPE_LIMIT) && (de->track == TRACK_DST) && (de->count == 10) && (de->seconds == 60)) {
356  DetectThresholdFree(NULL, de);
357  return 1;
358  }
359 
360  return 0;
361 }
362 
363 /**
364  * \test ThresholdTestParse02 is a test for a invalid threshold options
365  *
366  * \retval 1 on success
367  * \retval 0 on failure
368  */
369 static int ThresholdTestParse02(void)
370 {
371  DetectThresholdData *de = NULL;
372  de = DetectThresholdParse("type any,track by_dst,count 10,seconds 60");
373  if (de && (de->type == TYPE_LIMIT) && (de->track == TRACK_DST) && (de->count == 10) && (de->seconds == 60)) {
374  DetectThresholdFree(NULL, de);
375  return 0;
376  }
377 
378  return 1;
379 }
380 
381 /**
382  * \test ThresholdTestParse03 is a test for a valid threshold options in any order
383  *
384  * \retval 1 on success
385  * \retval 0 on failure
386  */
387 static int ThresholdTestParse03(void)
388 {
389  DetectThresholdData *de = NULL;
390  de = DetectThresholdParse("track by_dst, type limit, seconds 60, count 10");
391  if (de && (de->type == TYPE_LIMIT) && (de->track == TRACK_DST) && (de->count == 10) && (de->seconds == 60)) {
392  DetectThresholdFree(NULL, de);
393  return 1;
394  }
395 
396  return 0;
397 }
398 
399 
400 /**
401  * \test ThresholdTestParse04 is a test for an invalid threshold options in any order
402  *
403  * \retval 1 on success
404  * \retval 0 on failure
405  */
406 static int ThresholdTestParse04(void)
407 {
408  DetectThresholdData *de = NULL;
409  de = DetectThresholdParse("count 10, track by_dst, seconds 60, type both, count 10");
410  if (de && (de->type == TYPE_BOTH) && (de->track == TRACK_DST) && (de->count == 10) && (de->seconds == 60)) {
411  DetectThresholdFree(NULL, de);
412  return 0;
413  }
414 
415  return 1;
416 }
417 
418 /**
419  * \test ThresholdTestParse05 is a test for a valid threshold options in any order
420  *
421  * \retval 1 on success
422  * \retval 0 on failure
423  */
424 static int ThresholdTestParse05(void)
425 {
426  DetectThresholdData *de = NULL;
427  de = DetectThresholdParse("count 10, track by_dst, seconds 60, type both");
428  if (de && (de->type == TYPE_BOTH) && (de->track == TRACK_DST) && (de->count == 10) && (de->seconds == 60)) {
429  DetectThresholdFree(NULL, de);
430  return 1;
431  }
432 
433  return 0;
434 }
435 
436 /**
437  * \test ThresholdTestParse06 is a test for thresholding by_both
438  *
439  * \retval 1 on success
440  * \retval 0 on failure
441  */
442 static int ThresholdTestParse06(void)
443 {
444  DetectThresholdData *de = NULL;
445  de = DetectThresholdParse("count 10, track by_both, seconds 60, type limit");
446  FAIL_IF_NULL(de);
447  FAIL_IF_NOT(de->type == TYPE_LIMIT);
448  FAIL_IF_NOT(de->track == TRACK_BOTH);
449  FAIL_IF_NOT(de->count == 10);
450  FAIL_IF_NOT(de->seconds == 60);
451  DetectThresholdFree(NULL, de);
452  PASS;
453 }
454 
455 /**
456  * \test ThresholdTestParse07 is a test for thresholding by_rule
457  *
458  * \retval 1 on success
459  * \retval 0 on failure
460  */
461 static int ThresholdTestParse07(void)
462 {
463  DetectThresholdData *de = NULL;
464  de = DetectThresholdParse("count 10, track by_rule, seconds 60, type limit");
465  FAIL_IF_NULL(de);
466  FAIL_IF_NOT(de->type == TYPE_LIMIT);
467  FAIL_IF_NOT(de->track == TRACK_RULE);
468  FAIL_IF_NOT(de->count == 10);
469  FAIL_IF_NOT(de->seconds == 60);
470  DetectThresholdFree(NULL, de);
471  PASS;
472 }
473 
474 /**
475  * \test DetectThresholdTestSig1 is a test for checking the working of limit keyword
476  * by setting up the signature and later testing its working by matching
477  * the received packet against the sig.
478  *
479  * \retval 1 on success
480  * \retval 0 on failure
481  */
482 
483 static int DetectThresholdTestSig1(void)
484 {
485  Packet *p = NULL;
486  Signature *s = NULL;
487  ThreadVars th_v;
488  DetectEngineThreadCtx *det_ctx;
489  int result = 0;
490  int alerts = 0;
491 
492  HostInitConfig(HOST_QUIET);
493 
494  memset(&th_v, 0, sizeof(th_v));
495 
496  p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
497 
498  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
499  if (de_ctx == NULL) {
500  goto end;
501  }
502 
503  de_ctx->flags |= DE_QUIET;
504 
505  s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold limit\"; content:\"A\"; threshold: type limit, track by_dst, count 5, seconds 60; sid:1;)");
506  if (s == NULL) {
507  goto end;
508  }
509 
510  SigGroupBuild(de_ctx);
511 
512  FAIL_IF(s->type == SIG_TYPE_IPONLY);
513 
514  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
515 
516  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
517  alerts = PacketAlertCheck(p, 1);
518  if (alerts != 1) {
519  printf("alerts %"PRIi32", expected 1: ", alerts);
520  }
521  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
522  alerts += PacketAlertCheck(p, 1);
523  if (alerts != 2) {
524  printf("alerts %"PRIi32", expected 2: ", alerts);
525  }
526  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
527  alerts += PacketAlertCheck(p, 1);
528  if (alerts != 3) {
529  printf("alerts %"PRIi32", expected 3: ", alerts);
530  }
531  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
532  alerts += PacketAlertCheck(p, 1);
533  if (alerts != 4) {
534  printf("alerts %"PRIi32", expected 4: ", alerts);
535  }
536  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
537  alerts += PacketAlertCheck(p, 1);
538  if (alerts != 5) {
539  printf("alerts %"PRIi32", expected 5: ", alerts);
540  }
541  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
542  alerts += PacketAlertCheck(p, 1);
543  if (alerts != 5) {
544  printf("alerts %"PRIi32", expected 5: ", alerts);
545  }
546  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
547  alerts += PacketAlertCheck(p, 1);
548  if (alerts != 5) {
549  printf("alerts %"PRIi32", expected 5: ", alerts);
550  }
551  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
552  alerts += PacketAlertCheck(p, 1);
553  if (alerts != 5) {
554  printf("alerts %"PRIi32", expected 5: ", alerts);
555  }
556 
557  if(alerts == 5)
558  result = 1;
559  else
560  printf("alerts %"PRIi32", expected 5: ", alerts);
561 
562  SigGroupCleanup(de_ctx);
563  SigCleanSignatures(de_ctx);
564 
565  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
566  DetectEngineCtxFree(de_ctx);
567 
568  UTHFreePackets(&p, 1);
569 
570  HostShutdown();
571 end:
572  return result;
573 }
574 
575 /**
576  * \test DetectThresholdTestSig2 is a test for checking the working of threshold keyword
577  * by setting up the signature and later testing its working by matching
578  * the received packet against the sig.
579  *
580  * \retval 1 on success
581  * \retval 0 on failure
582  */
583 
584 static int DetectThresholdTestSig2(void)
585 {
586  Packet *p = NULL;
587  Signature *s = NULL;
588  ThreadVars th_v;
589  DetectEngineThreadCtx *det_ctx;
590  int result = 0;
591  int alerts = 0;
592 
593  HostInitConfig(HOST_QUIET);
594 
595  memset(&th_v, 0, sizeof(th_v));
596 
597  p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
598 
599  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
600  if (de_ctx == NULL) {
601  goto end;
602  }
603 
604  de_ctx->flags |= DE_QUIET;
605 
606  s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold\"; threshold: type threshold, track by_dst, count 5, seconds 60; sid:1;)");
607  if (s == NULL) {
608  goto end;
609  }
610 
611  SigGroupBuild(de_ctx);
612  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
613 
614  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
615  alerts = PacketAlertCheck(p, 1);
616  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
617  alerts += PacketAlertCheck(p, 1);
618  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
619  alerts += PacketAlertCheck(p, 1);
620  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
621  alerts += PacketAlertCheck(p, 1);
622  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
623  alerts += PacketAlertCheck(p, 1);
624  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
625  alerts += PacketAlertCheck(p, 1);
626  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
627  alerts += PacketAlertCheck(p, 1);
628  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
629  alerts += PacketAlertCheck(p, 1);
630  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
631  alerts += PacketAlertCheck(p, 1);
632  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
633  alerts += PacketAlertCheck(p, 1);
634 
635  if (alerts == 2)
636  result = 1;
637  else
638  goto cleanup;
639 
640 cleanup:
641  SigGroupCleanup(de_ctx);
642  SigCleanSignatures(de_ctx);
643 
644  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
645  DetectEngineCtxFree(de_ctx);
646 
647 end:
648  UTHFreePackets(&p, 1);
649  HostShutdown();
650  return result;
651 }
652 
653 /**
654  * \test DetectThresholdTestSig3 is a test for checking the working of limit keyword
655  * by setting up the signature and later testing its working by matching
656  * the received packet against the sig.
657  *
658  * \retval 1 on success
659  * \retval 0 on failure
660  */
661 
662 static int DetectThresholdTestSig3(void)
663 {
664  Packet *p = NULL;
665  Signature *s = NULL;
666  ThreadVars th_v;
667  DetectEngineThreadCtx *det_ctx;
668  int result = 0;
669  int alerts = 0;
670  DetectThresholdEntry *lookup_tsh = NULL;
671 
672  HostInitConfig(HOST_QUIET);
673 
674  memset(&th_v, 0, sizeof(th_v));
675 
676  p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
677 
678  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
679  if (de_ctx == NULL) {
680  goto end;
681  }
682 
683  de_ctx->flags |= DE_QUIET;
684 
685  s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold limit\"; threshold: type limit, track by_dst, count 5, seconds 60; sid:10;)");
686  if (s == NULL) {
687  goto end;
688  }
689 
690  SigGroupBuild(de_ctx);
691  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
692 
693  p->ts = TimeGet();
694 
695  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
696  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
697  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
698 
699  Host *host = HostLookupHostFromHash(&p->dst);
700  if (host == NULL) {
701  printf("host not found: ");
702  goto cleanup;
703  }
704 
705  if (!(ThresholdHostHasThreshold(host))) {
706  HostRelease(host);
707  printf("host has no threshold: ");
708  goto cleanup;
709  }
710  HostRelease(host);
711 
712  TimeSetIncrementTime(200);
713  p->ts = TimeGet();
714 
715  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
716  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
717  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
718 
719  host = HostLookupHostFromHash(&p->dst);
720  if (host == NULL) {
721  printf("host not found: ");
722  goto cleanup;
723  }
724  HostRelease(host);
725 
726  lookup_tsh = HostGetStorageById(host, ThresholdHostStorageId());
727  if (lookup_tsh == NULL) {
728  HostRelease(host);
729  printf("lookup_tsh is NULL: ");
730  goto cleanup;
731  }
732 
733  alerts = lookup_tsh->current_count;
734 
735  if (alerts == 3)
736  result = 1;
737  else {
738  printf("alerts %u != 3: ", alerts);
739  goto cleanup;
740  }
741 
742 cleanup:
743  SigGroupCleanup(de_ctx);
744  SigCleanSignatures(de_ctx);
745 
746  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
747  DetectEngineCtxFree(de_ctx);
748 end:
749  UTHFreePackets(&p, 1);
750  HostShutdown();
751  return result;
752 }
753 
754 /**
755  * \test DetectThresholdTestSig4 is a test for checking the working of both keyword
756  * by setting up the signature and later testing its working by matching
757  * the received packet against the sig.
758  *
759  * \retval 1 on success
760  * \retval 0 on failure
761  */
762 
763 static int DetectThresholdTestSig4(void)
764 {
765  Packet *p = NULL;
766  Signature *s = NULL;
767  ThreadVars th_v;
768  DetectEngineThreadCtx *det_ctx;
769  int result = 0;
770  int alerts = 0;
771 
772  HostInitConfig(HOST_QUIET);
773 
774  memset(&th_v, 0, sizeof(th_v));
775 
776  p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
777 
778  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
779  if (de_ctx == NULL) {
780  goto end;
781  }
782 
783  de_ctx->flags |= DE_QUIET;
784 
785  s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold both\"; threshold: type both, track by_dst, count 2, seconds 60; sid:10;)");
786  if (s == NULL) {
787  goto end;
788  }
789 
790  SigGroupBuild(de_ctx);
791  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
792 
793  p->ts = TimeGet();
794  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
795  alerts = PacketAlertCheck(p, 10);
796  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
797  alerts += PacketAlertCheck(p, 10);
798  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
799  alerts += PacketAlertCheck(p, 10);
800 
801  TimeSetIncrementTime(200);
802  p->ts = TimeGet();
803 
804  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
805  alerts += PacketAlertCheck(p, 10);
806  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
807  alerts += PacketAlertCheck(p, 10);
808  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
809  alerts += PacketAlertCheck(p, 10);
810 
811  if (alerts == 2)
812  result = 1;
813  else
814  goto cleanup;
815 
816 cleanup:
817  SigGroupCleanup(de_ctx);
818  SigCleanSignatures(de_ctx);
819 
820  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
821  DetectEngineCtxFree(de_ctx);
822 end:
823  UTHFreePackets(&p, 1);
824  HostShutdown();
825  return result;
826 }
827 
828 /**
829  * \test DetectThresholdTestSig5 is a test for checking the working of limit keyword
830  * by setting up the signature and later testing its working by matching
831  * the received packet against the sig.
832  *
833  * \retval 1 on success
834  * \retval 0 on failure
835  */
836 
837 static int DetectThresholdTestSig5(void)
838 {
839  Packet *p = NULL;
840  Signature *s = NULL;
841  ThreadVars th_v;
842  DetectEngineThreadCtx *det_ctx;
843  int result = 0;
844  int alerts = 0;
845 
846  HostInitConfig(HOST_QUIET);
847 
848  memset(&th_v, 0, sizeof(th_v));
849  p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
850 
851  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
852  if (de_ctx == NULL) {
853  goto end;
854  }
855 
856  de_ctx->flags |= DE_QUIET;
857 
858  s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold limit sid 1\"; threshold: type limit, track by_dst, count 5, seconds 60; sid:1;)");
859  if (s == NULL) {
860  goto end;
861  }
862 
863  s = s->next = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold limit sid 1000\"; threshold: type limit, track by_dst, count 5, seconds 60; sid:1000;)");
864  if (s == NULL) {
865  goto end;
866  }
867 
868  SigGroupBuild(de_ctx);
869  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
870 
871  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
872  alerts = PacketAlertCheck(p, 1);
873  alerts += PacketAlertCheck(p, 1000);
874  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
875  alerts += PacketAlertCheck(p, 1);
876  alerts += PacketAlertCheck(p, 1000);
877  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
878  alerts += PacketAlertCheck(p, 1);
879  alerts += PacketAlertCheck(p, 1000);
880  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
881  alerts += PacketAlertCheck(p, 1);
882  alerts += PacketAlertCheck(p, 1000);
883  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
884  alerts += PacketAlertCheck(p, 1);
885  alerts += PacketAlertCheck(p, 1000);
886  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
887  alerts += PacketAlertCheck(p, 1);
888  alerts += PacketAlertCheck(p, 1000);
889  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
890  alerts += PacketAlertCheck(p, 1);
891  alerts += PacketAlertCheck(p, 1000);
892  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
893  alerts += PacketAlertCheck(p, 1);
894  alerts += PacketAlertCheck(p, 1000);
895 
896  if(alerts == 10)
897  result = 1;
898  else {
899  printf("alerts %d != 10: ", alerts);
900  goto cleanup;
901  }
902 
903 cleanup:
904  SigGroupCleanup(de_ctx);
905  SigCleanSignatures(de_ctx);
906 
907  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
908  DetectEngineCtxFree(de_ctx);
909 
910 end:
911  UTHFreePackets(&p, 1);
912  HostShutdown();
913  return result;
914 }
915 
916 static int DetectThresholdTestSig6Ticks(void)
917 {
918  Packet *p = NULL;
919  Signature *s = NULL;
920  ThreadVars th_v;
921  DetectEngineThreadCtx *det_ctx;
922  int result = 0;
923  int alerts = 0;
924 
925  HostInitConfig(HOST_QUIET);
926 
927  memset(&th_v, 0, sizeof(th_v));
928  p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
929 
930  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
931  if (de_ctx == NULL) {
932  goto end;
933  }
934 
935  de_ctx->flags |= DE_QUIET;
936 
937  s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold limit sid 1\"; threshold: type limit, track by_dst, count 5, seconds 60; sid:1;)");
938  if (s == NULL) {
939  goto end;
940  }
941 
942  s = s->next = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold limit sid 1000\"; threshold: type limit, track by_dst, count 5, seconds 60; sid:1000;)");
943  if (s == NULL) {
944  goto end;
945  }
946 
947  SigGroupBuild(de_ctx);
948  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
949 
950  uint64_t ticks_start = 0;
951  uint64_t ticks_end = 0;
952 
953  ticks_start = UtilCpuGetTicks();
954  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
955  alerts = PacketAlertCheck(p, 1);
956  alerts += PacketAlertCheck(p, 1000);
957  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
958  alerts += PacketAlertCheck(p, 1);
959  alerts += PacketAlertCheck(p, 1000);
960  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
961  alerts += PacketAlertCheck(p, 1);
962  alerts += PacketAlertCheck(p, 1000);
963  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
964  alerts += PacketAlertCheck(p, 1);
965  alerts += PacketAlertCheck(p, 1000);
966  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
967  alerts += PacketAlertCheck(p, 1);
968  alerts += PacketAlertCheck(p, 1000);
969  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
970  alerts += PacketAlertCheck(p, 1);
971  alerts += PacketAlertCheck(p, 1000);
972  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
973  alerts += PacketAlertCheck(p, 1);
974  alerts += PacketAlertCheck(p, 1000);
975  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
976  alerts += PacketAlertCheck(p, 1);
977  alerts += PacketAlertCheck(p, 1000);
978  ticks_end = UtilCpuGetTicks();
979  printf("test run %"PRIu64"\n", (ticks_end - ticks_start));
980 
981  if(alerts == 10)
982  result = 1;
983  else
984  goto cleanup;
985 
986 cleanup:
987  SigGroupCleanup(de_ctx);
988  SigCleanSignatures(de_ctx);
989 
990  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
991  DetectEngineCtxFree(de_ctx);
992 
993 end:
994  UTHFreePackets(&p, 1);
995  HostShutdown();
996  return result;
997 }
998 
999 /**
1000  * \test Test drop action being set even if thresholded
1001  */
1002 static int DetectThresholdTestSig7(void)
1003 {
1004  Packet *p = NULL;
1005  Signature *s = NULL;
1006  ThreadVars th_v;
1007  DetectEngineThreadCtx *det_ctx;
1008  int result = 0;
1009  int alerts = 0;
1010  int drops = 0;
1011 
1012  HostInitConfig(HOST_QUIET);
1013 
1014  memset(&th_v, 0, sizeof(th_v));
1015 
1016  p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
1017 
1018  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1019  if (de_ctx == NULL) {
1020  goto end;
1021  }
1022 
1023  de_ctx->flags |= DE_QUIET;
1024 
1025  s = de_ctx->sig_list = SigInit(de_ctx,"drop tcp any any -> any 80 (threshold: type limit, track by_src, count 1, seconds 300; sid:10;)");
1026  if (s == NULL) {
1027  goto end;
1028  }
1029 
1030  SigGroupBuild(de_ctx);
1031  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1032 
1033  p->ts = TimeGet();
1034  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1035  alerts = PacketAlertCheck(p, 10);
1036  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1037  p->action = 0;
1038 
1039  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1040  alerts += PacketAlertCheck(p, 10);
1041  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1042  p->action = 0;
1043 
1044  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1045  alerts += PacketAlertCheck(p, 10);
1046  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1047  p->action = 0;
1048 
1049  TimeSetIncrementTime(200);
1050  p->ts = TimeGet();
1051 
1052  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1053  alerts += PacketAlertCheck(p, 10);
1054  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1055  p->action = 0;
1056 
1057  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1058  alerts += PacketAlertCheck(p, 10);
1059  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1060  p->action = 0;
1061 
1062  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1063  alerts += PacketAlertCheck(p, 10);
1064  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1065  p->action = 0;
1066 
1067  if (alerts == 1 && drops == 6)
1068  result = 1;
1069  else {
1070  if (alerts != 1)
1071  printf("alerts: %d != 1: ", alerts);
1072  if (drops != 6)
1073  printf("drops: %d != 6: ", drops);
1074  goto cleanup;
1075  }
1076 
1077 cleanup:
1078  SigGroupCleanup(de_ctx);
1079  SigCleanSignatures(de_ctx);
1080 
1081  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1082  DetectEngineCtxFree(de_ctx);
1083 end:
1084  UTHFreePackets(&p, 1);
1085  HostShutdown();
1086  return result;
1087 }
1088 
1089 /**
1090  * \test Test drop action being set even if thresholded
1091  */
1092 static int DetectThresholdTestSig8(void)
1093 {
1094  Packet *p = NULL;
1095  Signature *s = NULL;
1096  ThreadVars th_v;
1097  DetectEngineThreadCtx *det_ctx;
1098  int result = 0;
1099  int alerts = 0;
1100  int drops = 0;
1101 
1102  HostInitConfig(HOST_QUIET);
1103 
1104  memset(&th_v, 0, sizeof(th_v));
1105 
1106  p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
1107 
1108  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1109  if (de_ctx == NULL) {
1110  goto end;
1111  }
1112 
1113  de_ctx->flags |= DE_QUIET;
1114 
1115  s = de_ctx->sig_list = SigInit(de_ctx,"drop tcp any any -> any 80 (threshold: type limit, track by_src, count 2, seconds 300; sid:10;)");
1116  if (s == NULL) {
1117  goto end;
1118  }
1119 
1120  SigGroupBuild(de_ctx);
1121  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1122 
1123  p->ts = TimeGet();
1124  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1125  alerts = PacketAlertCheck(p, 10);
1126  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1127  p->action = 0;
1128 
1129  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1130  alerts += PacketAlertCheck(p, 10);
1131  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1132  p->action = 0;
1133 
1134  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1135  alerts += PacketAlertCheck(p, 10);
1136  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1137  p->action = 0;
1138 
1139  TimeSetIncrementTime(200);
1140  p->ts = TimeGet();
1141 
1142  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1143  alerts += PacketAlertCheck(p, 10);
1144  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1145  p->action = 0;
1146 
1147  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1148  alerts += PacketAlertCheck(p, 10);
1149  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1150  p->action = 0;
1151 
1152  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1153  alerts += PacketAlertCheck(p, 10);
1154  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1155  p->action = 0;
1156 
1157  if (alerts == 2 && drops == 6)
1158  result = 1;
1159  else {
1160  if (alerts != 1)
1161  printf("alerts: %d != 1: ", alerts);
1162  if (drops != 6)
1163  printf("drops: %d != 6: ", drops);
1164  goto cleanup;
1165  }
1166 
1167 cleanup:
1168  SigGroupCleanup(de_ctx);
1169  SigCleanSignatures(de_ctx);
1170 
1171  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1172  DetectEngineCtxFree(de_ctx);
1173 end:
1174  UTHFreePackets(&p, 1);
1175  HostShutdown();
1176  return result;
1177 }
1178 
1179 /**
1180  * \test Test drop action being set even if thresholded
1181  */
1182 static int DetectThresholdTestSig9(void)
1183 {
1184  Packet *p = NULL;
1185  Signature *s = NULL;
1186  ThreadVars th_v;
1187  DetectEngineThreadCtx *det_ctx;
1188  int result = 0;
1189  int alerts = 0;
1190  int drops = 0;
1191 
1192  HostInitConfig(HOST_QUIET);
1193 
1194  memset(&th_v, 0, sizeof(th_v));
1195 
1196  p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
1197 
1198  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1199  if (de_ctx == NULL) {
1200  goto end;
1201  }
1202 
1203  de_ctx->flags |= DE_QUIET;
1204 
1205  s = de_ctx->sig_list = SigInit(de_ctx,"drop tcp any any -> any 80 (threshold: type threshold, track by_src, count 3, seconds 100; sid:10;)");
1206  if (s == NULL) {
1207  goto end;
1208  }
1209 
1210  SigGroupBuild(de_ctx);
1211  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1212 
1213  p->ts = TimeGet();
1214  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1215  alerts = PacketAlertCheck(p, 10);
1216  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1217  p->action = 0;
1218 
1219  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1220  alerts += PacketAlertCheck(p, 10);
1221  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1222  p->action = 0;
1223 
1224  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1225  alerts += PacketAlertCheck(p, 10);
1226  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1227  p->action = 0;
1228 
1229  TimeSetIncrementTime(200);
1230  p->ts = TimeGet();
1231 
1232  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1233  alerts += PacketAlertCheck(p, 10);
1234  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1235  p->action = 0;
1236 
1237  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1238  alerts += PacketAlertCheck(p, 10);
1239  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1240  p->action = 0;
1241 
1242  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1243  alerts += PacketAlertCheck(p, 10);
1244  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1245  p->action = 0;
1246 
1247  if (alerts == 2 && drops == 2)
1248  result = 1;
1249  else {
1250  if (alerts != 2)
1251  printf("alerts: %d != 2: ", alerts);
1252  if (drops != 2)
1253  printf("drops: %d != 2: ", drops);
1254  goto cleanup;
1255  }
1256 
1257 cleanup:
1258  SigGroupCleanup(de_ctx);
1259  SigCleanSignatures(de_ctx);
1260 
1261  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1262  DetectEngineCtxFree(de_ctx);
1263 end:
1264  UTHFreePackets(&p, 1);
1265  HostShutdown();
1266  return result;
1267 }
1268 
1269 /**
1270  * \test Test drop action being set even if thresholded
1271  */
1272 static int DetectThresholdTestSig10(void)
1273 {
1274  Packet *p = NULL;
1275  Signature *s = NULL;
1276  ThreadVars th_v;
1277  DetectEngineThreadCtx *det_ctx;
1278  int result = 0;
1279  int alerts = 0;
1280  int drops = 0;
1281 
1282  HostInitConfig(HOST_QUIET);
1283 
1284  memset(&th_v, 0, sizeof(th_v));
1285 
1286  p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
1287 
1288  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1289  if (de_ctx == NULL) {
1290  goto end;
1291  }
1292 
1293  de_ctx->flags |= DE_QUIET;
1294 
1295  s = de_ctx->sig_list = SigInit(de_ctx,"drop tcp any any -> any 80 (threshold: type threshold, track by_src, count 5, seconds 300; sid:10;)");
1296  if (s == NULL) {
1297  goto end;
1298  }
1299 
1300  SigGroupBuild(de_ctx);
1301  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1302 
1303  p->ts = TimeGet();
1304  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1305  alerts = PacketAlertCheck(p, 10);
1306  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1307  p->action = 0;
1308 
1309  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1310  alerts += PacketAlertCheck(p, 10);
1311  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1312  p->action = 0;
1313 
1314  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1315  alerts += PacketAlertCheck(p, 10);
1316  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1317  p->action = 0;
1318 
1319  TimeSetIncrementTime(200);
1320  p->ts = TimeGet();
1321 
1322  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1323  alerts += PacketAlertCheck(p, 10);
1324  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1325  p->action = 0;
1326 
1327  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1328  alerts += PacketAlertCheck(p, 10);
1329  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1330  p->action = 0;
1331 
1332  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1333  alerts += PacketAlertCheck(p, 10);
1334  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1335  p->action = 0;
1336 
1337  if (alerts == 1 && drops == 1)
1338  result = 1;
1339  else {
1340  if (alerts != 1)
1341  printf("alerts: %d != 1: ", alerts);
1342  if (drops != 1)
1343  printf("drops: %d != 1: ", drops);
1344  goto cleanup;
1345  }
1346 
1347 cleanup:
1348  SigGroupCleanup(de_ctx);
1349  SigCleanSignatures(de_ctx);
1350 
1351  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1352  DetectEngineCtxFree(de_ctx);
1353 end:
1354  UTHFreePackets(&p, 1);
1355  HostShutdown();
1356  return result;
1357 }
1358 
1359 /**
1360  * \test Test drop action being set even if thresholded
1361  */
1362 static int DetectThresholdTestSig11(void)
1363 {
1364  Packet *p = NULL;
1365  Signature *s = NULL;
1366  ThreadVars th_v;
1367  DetectEngineThreadCtx *det_ctx;
1368  int result = 0;
1369  int alerts = 0;
1370  int drops = 0;
1371 
1372  HostInitConfig(HOST_QUIET);
1373 
1374  memset(&th_v, 0, sizeof(th_v));
1375 
1376  p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
1377 
1378  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1379  if (de_ctx == NULL) {
1380  goto end;
1381  }
1382 
1383  de_ctx->flags |= DE_QUIET;
1384 
1385  s = de_ctx->sig_list = SigInit(de_ctx,"drop tcp any any -> any 80 (threshold: type both, track by_src, count 3, seconds 300; sid:10;)");
1386  if (s == NULL) {
1387  goto end;
1388  }
1389 
1390  SigGroupBuild(de_ctx);
1391  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1392 
1393  p->ts = TimeGet();
1394  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1395  alerts = PacketAlertCheck(p, 10);
1396  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1397  p->action = 0;
1398 
1399  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1400  alerts += PacketAlertCheck(p, 10);
1401  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1402  p->action = 0;
1403 
1404  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1405  alerts += PacketAlertCheck(p, 10);
1406  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1407  p->action = 0;
1408 
1409  TimeSetIncrementTime(200);
1410  p->ts = TimeGet();
1411 
1412  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1413  alerts += PacketAlertCheck(p, 10);
1414  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1415  p->action = 0;
1416 
1417  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1418  alerts += PacketAlertCheck(p, 10);
1419  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1420  p->action = 0;
1421 
1422  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1423  alerts += PacketAlertCheck(p, 10);
1424  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1425  p->action = 0;
1426 
1427  if (alerts == 1 && drops == 4)
1428  result = 1;
1429  else {
1430  if (alerts != 1)
1431  printf("alerts: %d != 1: ", alerts);
1432  if (drops != 4)
1433  printf("drops: %d != 4: ", drops);
1434  goto cleanup;
1435  }
1436 
1437 cleanup:
1438  SigGroupCleanup(de_ctx);
1439  SigCleanSignatures(de_ctx);
1440 
1441  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1442  DetectEngineCtxFree(de_ctx);
1443 end:
1444  UTHFreePackets(&p, 1);
1445  HostShutdown();
1446  return result;
1447 }
1448 
1449 /**
1450  * \test Test drop action being set even if thresholded
1451  */
1452 static int DetectThresholdTestSig12(void)
1453 {
1454  Packet *p = NULL;
1455  Signature *s = NULL;
1456  ThreadVars th_v;
1457  DetectEngineThreadCtx *det_ctx;
1458  int result = 0;
1459  int alerts = 0;
1460  int drops = 0;
1461 
1462  HostInitConfig(HOST_QUIET);
1463 
1464  memset(&th_v, 0, sizeof(th_v));
1465 
1466  p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
1467 
1468  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1469  if (de_ctx == NULL) {
1470  goto end;
1471  }
1472 
1473  de_ctx->flags |= DE_QUIET;
1474 
1475  s = de_ctx->sig_list = SigInit(de_ctx,"drop tcp any any -> any 80 (threshold: type both, track by_src, count 5, seconds 300; sid:10;)");
1476  if (s == NULL) {
1477  goto end;
1478  }
1479 
1480  SigGroupBuild(de_ctx);
1481  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1482 
1483  p->ts = TimeGet();
1484  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1485  alerts = PacketAlertCheck(p, 10);
1486  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1487  p->action = 0;
1488 
1489  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1490  alerts += PacketAlertCheck(p, 10);
1491  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1492  p->action = 0;
1493 
1494  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1495  alerts += PacketAlertCheck(p, 10);
1496  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1497  p->action = 0;
1498 
1499  TimeSetIncrementTime(200);
1500  p->ts = TimeGet();
1501 
1502  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1503  alerts += PacketAlertCheck(p, 10);
1504  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1505  p->action = 0;
1506 
1507  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1508  alerts += PacketAlertCheck(p, 10);
1509  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1510  p->action = 0;
1511 
1512  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1513  alerts += PacketAlertCheck(p, 10);
1514  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1515  p->action = 0;
1516 
1517  if (alerts == 1 && drops == 2)
1518  result = 1;
1519  else {
1520  if (alerts != 1)
1521  printf("alerts: %d != 1: ", alerts);
1522  if (drops != 2)
1523  printf("drops: %d != 2: ", drops);
1524  goto cleanup;
1525  }
1526 
1527 cleanup:
1528  SigGroupCleanup(de_ctx);
1529  SigCleanSignatures(de_ctx);
1530 
1531  DetectEngineThreadCtxDeinit(&th_v, (void*)det_ctx);
1532  DetectEngineCtxFree(de_ctx);
1533 end:
1534  UTHFreePackets(&p, 1);
1535  HostShutdown();
1536  return result;
1537 }
1538 
1539 /**
1540  * \test DetectThresholdTestSig13 is a test for checking the working by_rule limits
1541  * by setting up the signature and later testing its working by matching
1542  * received packets against the sig.
1543  *
1544  * \retval 1 on success
1545  * \retval 0 on failure
1546  */
1547 
1548 static int DetectThresholdTestSig13(void)
1549 {
1550  Packet *p = NULL;
1551  Signature *s = NULL;
1552  ThreadVars th_v;
1553  DetectEngineThreadCtx *det_ctx;
1554  int alerts = 0;
1555 
1556  HostInitConfig(HOST_QUIET);
1557 
1558  memset(&th_v, 0, sizeof(th_v));
1559  p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
1560  FAIL_IF_NULL(p);
1561 
1562  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1563  FAIL_IF_NULL(de_ctx);
1564 
1565  de_ctx->flags |= DE_QUIET;
1566 
1567  s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold limit sid 1\"; threshold: type limit, track by_rule, count 2, seconds 60; sid:1;)");
1568  FAIL_IF_NULL(s);
1569 
1570  SigGroupBuild(de_ctx);
1571  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1572 
1573  /* should alert twice */
1574  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1575  alerts += PacketAlertCheck(p, 1);
1576  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1577  alerts += PacketAlertCheck(p, 1);
1578  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1579  alerts += PacketAlertCheck(p, 1);
1580  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1581  alerts += PacketAlertCheck(p, 1);
1582 
1583  FAIL_IF(alerts != 2);
1584 
1585  TimeSetIncrementTime(70);
1586  p->ts = TimeGet();
1587 
1588  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1589  alerts += PacketAlertCheck(p, 1);
1590  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1591  alerts += PacketAlertCheck(p, 1);
1592  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1593  alerts += PacketAlertCheck(p, 1);
1594  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1595  alerts += PacketAlertCheck(p, 1);
1596 
1597  FAIL_IF(alerts != 4);
1598 
1599  SigGroupCleanup(de_ctx);
1600  SigCleanSignatures(de_ctx);
1601  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1602  DetectEngineCtxFree(de_ctx);
1603  UTHFreePackets(&p, 1);
1604  HostShutdown();
1605  PASS;
1606 }
1607 
1608 /**
1609  * \test DetectThresholdTestSig14 is a test for checking the working by_both limits
1610  * by setting up the signature and later testing its working by matching
1611  * received packets against the sig.
1612  *
1613  * \retval 1 on success
1614  * \retval 0 on failure
1615  */
1616 
1617 static int DetectThresholdTestSig14(void)
1618 {
1619  Packet *p1 = NULL;
1620  Packet *p2 = NULL;
1621  Signature *s = NULL;
1622  ThreadVars th_v;
1623  DetectEngineThreadCtx *det_ctx;
1624  int alerts1 = 0;
1625  int alerts2 = 0;
1626 
1627  HostInitConfig(HOST_QUIET);
1628  IPPairInitConfig(IPPAIR_QUIET);
1629 
1630  memset(&th_v, 0, sizeof(th_v));
1631  p1 = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
1632  p2 = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "3.3.3.3", 1024, 80);
1633  FAIL_IF_NULL(p1);
1634  FAIL_IF_NULL(p2);
1635 
1636  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1637  FAIL_IF_NULL(de_ctx);
1638 
1639  de_ctx->flags |= DE_QUIET;
1640 
1641  s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold limit sid 1\"; threshold: type limit, track by_both, count 2, seconds 60; sid:1;)");
1642  FAIL_IF_NULL(s);
1643 
1644  SigGroupBuild(de_ctx);
1645  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1646 
1647  /* Both p1 and p2 should alert twice */
1648  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1649  alerts1 += PacketAlertCheck(p1, 1);
1650  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1651  alerts1 += PacketAlertCheck(p1, 1);
1652  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1653  alerts1 += PacketAlertCheck(p1, 1);
1654  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1655  alerts1 += PacketAlertCheck(p1, 1);
1656 
1657  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1658  alerts2 += PacketAlertCheck(p2, 1);
1659  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1660  alerts2 += PacketAlertCheck(p2, 1);
1661  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1662  alerts2 += PacketAlertCheck(p2, 1);
1663  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1664  alerts2 += PacketAlertCheck(p2, 1);
1665 
1666  FAIL_IF(alerts1 != 2);
1667  FAIL_IF(alerts2 != 2);
1668 
1669  TimeSetIncrementTime(70);
1670  p1->ts = TimeGet();
1671  p2->ts = TimeGet();
1672 
1673  /* Now they should both alert again after previous alerts expire */
1674  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1675  alerts1 += PacketAlertCheck(p1, 1);
1676  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1677  alerts2 += PacketAlertCheck(p2, 1);
1678 
1679  FAIL_IF(alerts1 != 3);
1680  FAIL_IF(alerts2 != 3);
1681 
1682  SigGroupCleanup(de_ctx);
1683  SigCleanSignatures(de_ctx);
1684  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1685  DetectEngineCtxFree(de_ctx);
1686  UTHFreePackets(&p1, 1);
1687  UTHFreePackets(&p2, 1);
1688  HostShutdown();
1689  PASS;
1690 }
1691 
1692 static void ThresholdRegisterTests(void)
1693 {
1694  UtRegisterTest("ThresholdTestParse01", ThresholdTestParse01);
1695  UtRegisterTest("ThresholdTestParse02", ThresholdTestParse02);
1696  UtRegisterTest("ThresholdTestParse03", ThresholdTestParse03);
1697  UtRegisterTest("ThresholdTestParse04", ThresholdTestParse04);
1698  UtRegisterTest("ThresholdTestParse05", ThresholdTestParse05);
1699  UtRegisterTest("ThresholdTestParse06", ThresholdTestParse06);
1700  UtRegisterTest("ThresholdTestParse07", ThresholdTestParse07);
1701  UtRegisterTest("DetectThresholdTestSig1", DetectThresholdTestSig1);
1702  UtRegisterTest("DetectThresholdTestSig2", DetectThresholdTestSig2);
1703  UtRegisterTest("DetectThresholdTestSig3", DetectThresholdTestSig3);
1704  UtRegisterTest("DetectThresholdTestSig4", DetectThresholdTestSig4);
1705  UtRegisterTest("DetectThresholdTestSig5", DetectThresholdTestSig5);
1706  UtRegisterTest("DetectThresholdTestSig6Ticks",
1707  DetectThresholdTestSig6Ticks);
1708  UtRegisterTest("DetectThresholdTestSig7", DetectThresholdTestSig7);
1709  UtRegisterTest("DetectThresholdTestSig8", DetectThresholdTestSig8);
1710  UtRegisterTest("DetectThresholdTestSig9", DetectThresholdTestSig9);
1711  UtRegisterTest("DetectThresholdTestSig10", DetectThresholdTestSig10);
1712  UtRegisterTest("DetectThresholdTestSig11", DetectThresholdTestSig11);
1713  UtRegisterTest("DetectThresholdTestSig12", DetectThresholdTestSig12);
1714  UtRegisterTest("DetectThresholdTestSig13", DetectThresholdTestSig13);
1715  UtRegisterTest("DetectThresholdTestSig14", DetectThresholdTestSig14);
1716 }
1717 #endif /* UNITTESTS */
1718 
1719 /**
1720  * @}
1721  */
TRACK_BOTH
#define TRACK_BOTH
Definition: detect-threshold.h:38
util-byte.h
host.h
SigTableElmt_::url
const char * url
Definition: detect.h:1299
detect-engine.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
host-storage.h
IPPairInitConfig
void IPPairInitConfig(bool quiet)
initialize the configuration
Definition: ippair.c:162
SigTableElmt_::desc
const char * desc
Definition: detect.h:1298
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1286
util-hashlist.h
DetectParseRegex
Definition: detect-parse.h:62
SigTableElmt_::name
const char * name
Definition: detect.h:1296
stream-tcp.h
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DetectAddress_
address structure for use in the detection engine.
Definition: detect.h:165
DetectAddressHeadCleanup
void DetectAddressHeadCleanup(DetectAddressHead *gh)
Cleans a DetectAddressHead. The functions frees the address group heads(ipv4 and ipv6) inside the Det...
Definition: detect-engine-address.c:1478
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:141
action-globals.h
Packet_::action
uint8_t action
Definition: decode.h:590
DETECT_SM_LIST_THRESHOLD
@ DETECT_SM_LIST_THRESHOLD
Definition: detect.h:130
HostRelease
void HostRelease(Host *h)
Definition: host.c:467
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1290
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:839
TYPE_LIMIT
#define TYPE_LIMIT
Definition: detect-threshold.h:27
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2533
TRACK_DST
#define TRACK_DST
Definition: detect-detection-filter.c:43
HostGetStorageById
void * HostGetStorageById(Host *h, HostStorageId id)
Get a value from a given Host storage.
Definition: host-storage.c:88
DE_QUIET
#define DE_QUIET
Definition: detect.h:324
DetectThresholdEntry_
Definition: detect-threshold.h:64
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1897
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, pcre2_match_data **match, const char *str, int start_offset, int options)
Definition: detect-parse.c:2674
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:54
UTHBuildPacketReal
Packet * UTHBuildPacketReal(uint8_t *payload, uint16_t payload_len, uint8_t ipproto, const char *src, const char *dst, uint16_t sport, uint16_t dport)
UTHBuildPacketReal is a function that create tcp/udp packets for unittests specifying ip and port sou...
Definition: util-unittest-helper.c:244
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1281
ThresholdHostHasThreshold
int ThresholdHostHasThreshold(Host *host)
Definition: detect-engine-threshold.c:93
util-unittest.h
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
UtilCpuGetTicks
uint64_t UtilCpuGetTicks(void)
Definition: util-cpu.c:161
DetectAddress_::prev
struct DetectAddress_ * prev
Definition: detect.h:174
Signature_::next
struct Signature_ * next
Definition: detect.h:668
TRACK_RULE
#define TRACK_RULE
Definition: detect-threshold.h:36
decode.h
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1095
util-cpu.h
Packet_::ts
SCTime_t ts
Definition: decode.h:485
SIG_TYPE_IPONLY
@ SIG_TYPE_IPONLY
Definition: detect.h:64
DETECT_THRESHOLD
@ DETECT_THRESHOLD
Definition: detect-engine-register.h:57
de
uint8_t de
Definition: app-layer-htp.c:581
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2800
PARSE_REGEX
#define PARSE_REGEX
Definition: detect-threshold.c:63
detect-engine-mpm.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
StringParseUint32
int StringParseUint32(uint32_t *res, int base, size_t len, const char *str)
Definition: util-byte.c:313
util-time.h
SigInit
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2314
TYPE_BOTH
#define TYPE_BOTH
Definition: detect-threshold.h:28
DetectAddressCopy
DetectAddress * DetectAddressCopy(DetectAddress *orig)
copy a DetectAddress
Definition: detect-engine-address.c:128
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:2218
TimeSetIncrementTime
void TimeSetIncrementTime(uint32_t tv_sec)
increment the time in the engine
Definition: util-time.c:180
ThresholdHostStorageId
HostStorageId ThresholdHostStorageId(void)
Definition: detect-engine-threshold.c:76
Packet_
Definition: decode.h:437
detect-engine-build.h
TimeGet
SCTime_t TimeGet(void)
Definition: util-time.c:152
detect-engine-alert.h
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1264
decode-events.h
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:2149
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:345
IPPAIR_QUIET
#define IPPAIR_QUIET
Definition: ippair.h:89
DetectThresholdEntry_::current_count
uint32_t current_count
Definition: detect-threshold.h:71
DetectAddressHead_::ipv6_head
DetectAddress * ipv6_head
Definition: detect.h:182
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:3244
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3454
SigMatch_::type
uint16_t type
Definition: detect.h:351
DetectThresholdData_
Definition: detect-threshold.h:53
packet.h
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:127
ACTION_DROP
#define ACTION_DROP
Definition: action-globals.h:30
HOST_QUIET
#define HOST_QUIET
Definition: host.h:93
HostShutdown
void HostShutdown(void)
shutdown the flow engine
Definition: host.c:299
SCStrdup
#define SCStrdup(s)
Definition: util-mem.h:56
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:847
TYPE_THRESHOLD
#define TYPE_THRESHOLD
Definition: detect-threshold.h:29
DETECT_DETECTION_FILTER
@ DETECT_DETECTION_FILTER
Definition: detect-engine-register.h:100
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
SCFree
#define SCFree(p)
Definition: util-mem.h:61
detect-parse.h
Signature_
Signature container.
Definition: detect.h:596
SigMatch_
a single match condition for a signature
Definition: detect.h:350
detect-threshold.h
DetectAddress_::next
struct DetectAddress_ * next
Definition: detect.h:176
DetectThresholdRegister
void DetectThresholdRegister(void)
Registration function for threshold: keyword.
Definition: detect-threshold.c:79
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2494
HostLookupHostFromHash
Host * HostLookupHostFromHash(Address *a)
look up a host in the hash
Definition: host.c:591
suricata.h
Packet_::dst
Address dst
Definition: decode.h:442
TRACK_SRC
#define TRACK_SRC
Definition: detect-detection-filter.c:44
HostInitConfig
void HostInitConfig(bool quiet)
initialize the configuration
Definition: host.c:168
DetectGetLastSMFromLists
SigMatch * DetectGetLastSMFromLists(const Signature *s,...)
Returns the sm with the largest index (added latest) from the lists passed to us.
Definition: detect-parse.c:619
SigMatchAppendSMToList
SigMatch * SigMatchAppendSMToList(DetectEngineCtx *de_ctx, Signature *s, uint16_t type, SigMatchCtx *ctx, const int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:447
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:841
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
Host_
Definition: host.h:58
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:275
Signature_::type
enum SignatureType type
Definition: detect.h:599
DetectThresholdDataCopy
DetectThresholdData * DetectThresholdDataCopy(DetectThresholdData *de)
Make a deep-copy of an extant DetectTHresholdData object.
Definition: detect-threshold.c:292
flow-var.h
SIGMATCH_IPONLY_COMPAT
#define SIGMATCH_IPONLY_COMPAT
Definition: detect.h:1478
DetectAddressHead_::ipv4_head
DetectAddress * ipv4_head
Definition: detect.h:181
detect-engine-address.h
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1288
detect-engine-threshold.h
DetectThresholdData_::addrs
DetectAddressHead addrs
Definition: detect-threshold.h:61
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:431