suricata
detect-threshold.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \ingroup threshold
20  * @{
21  */
22 
23 /**
24  * \file
25  *
26  * \author Breno Silva <breno.silva@gmail.com>
27  * \author Victor Julien <victor@inliniac.net>
28  *
29  * Implements the threshold keyword.
30  *
31  * The feature depends on what is provided
32  * by detect-engine-threshold.c and util-threshold-config.c
33  */
34 
35 #include "suricata-common.h"
36 #include "suricata.h"
37 #include "decode.h"
38 
39 #include "host.h"
40 #include "host-storage.h"
41 
42 #include "detect.h"
43 #include "detect-parse.h"
44 
45 #include "flow-var.h"
46 #include "decode-events.h"
47 #include "stream-tcp.h"
48 
49 #include "detect-threshold.h"
50 #include "detect-engine-threshold.h"
51 #include "detect-engine-address.h"
52 
53 #include "util-unittest.h"
54 #include "util-unittest-helper.h"
55 #include "util-byte.h"
56 #include "util-debug.h"
57 
58 #ifdef UNITTESTS
59 #include "util-cpu.h"
60 #endif
61 
62 #define PARSE_REGEX "^\\s*(track|type|count|seconds)\\s+(limit|both|threshold|by_dst|by_src|by_both|by_rule|\\d+)\\s*,\\s*(track|type|count|seconds)\\s+(limit|both|threshold|by_dst|by_src|by_both|by_rule|\\d+)\\s*,\\s*(track|type|count|seconds)\\s+(limit|both|threshold|by_dst|by_src|by_both|by_rule|\\d+)\\s*,\\s*(track|type|count|seconds)\\s+(limit|both|threshold|by_dst|by_src|by_both|by_rule|\\d+)\\s*"
63 
64 static DetectParseRegex parse_regex;
65 
66 static int DetectThresholdMatch(DetectEngineThreadCtx *, Packet *,
67  const Signature *, const SigMatchCtx *);
68 static int DetectThresholdSetup(DetectEngineCtx *, Signature *, const char *);
69 static void DetectThresholdFree(DetectEngineCtx *, void *);
70 #ifdef UNITTESTS
71 static void ThresholdRegisterTests(void);
72 #endif
73 
74 /**
75  * \brief Registration function for threshold: keyword
76  */
77 
78 void DetectThresholdRegister(void)
79 {
80  sigmatch_table[DETECT_THRESHOLD].name = "threshold";
81  sigmatch_table[DETECT_THRESHOLD].desc = "control the rule's alert frequency";
82  sigmatch_table[DETECT_THRESHOLD].url = "/rules/thresholding.html#threshold";
83  sigmatch_table[DETECT_THRESHOLD].Match = DetectThresholdMatch;
84  sigmatch_table[DETECT_THRESHOLD].Setup = DetectThresholdSetup;
85  sigmatch_table[DETECT_THRESHOLD].Free = DetectThresholdFree;
86 #ifdef UNITTESTS
87  sigmatch_table[DETECT_THRESHOLD].RegisterTests = ThresholdRegisterTests;
88 #endif
89  /* this is compatible to ip-only signatures */
90  sigmatch_table[DETECT_THRESHOLD].flags |= SIGMATCH_IPONLY_COMPAT;
91 
92  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
93 }
94 
95 static int DetectThresholdMatch(DetectEngineThreadCtx *det_ctx, Packet *p,
96  const Signature *s, const SigMatchCtx *ctx)
97 {
98  return 1;
99 }
100 
101 /**
102  * \internal
103  * \brief This function is used to parse threshold options passed via threshold: keyword
104  *
105  * \param rawstr Pointer to the user provided threshold options
106  *
107  * \retval de pointer to DetectThresholdData on success
108  * \retval NULL on failure
109  */
110 static DetectThresholdData *DetectThresholdParse(const char *rawstr)
111 {
112  DetectThresholdData *de = NULL;
113  int ret = 0, res = 0;
114  int ov[MAX_SUBSTRINGS];
115  const char *str_ptr = NULL;
116  char *args[9] = { NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL };
117  char *copy_str = NULL, *threshold_opt = NULL;
118  int second_found = 0, count_found = 0;
119  int type_found = 0, track_found = 0;
120  int second_pos = 0, count_pos = 0;
121  uint16_t pos = 0;
122  int i = 0;
123 
124  copy_str = SCStrdup(rawstr);
125  if (unlikely(copy_str == NULL)) {
126  goto error;
127  }
128 
129  char *saveptr = NULL;
130  for (pos = 0, threshold_opt = strtok_r(copy_str,",", &saveptr);
131  pos < strlen(copy_str) && threshold_opt != NULL;
132  pos++, threshold_opt = strtok_r(NULL,"," , &saveptr))
133  {
134  if(strstr(threshold_opt,"count"))
135  count_found++;
136  if(strstr(threshold_opt,"second"))
137  second_found++;
138  if(strstr(threshold_opt,"type"))
139  type_found++;
140  if(strstr(threshold_opt,"track"))
141  track_found++;
142  }
143  SCFree(copy_str);
144  copy_str = NULL;
145 
146  if(count_found != 1 || second_found != 1 || type_found != 1 || track_found != 1)
147  goto error;
148 
149  ret = DetectParsePcreExec(&parse_regex, rawstr, 0, 0, ov, MAX_SUBSTRINGS);
150  if (ret < 5) {
151  SCLogError(SC_ERR_PCRE_MATCH, "pcre_exec parse error, ret %" PRId32 ", string %s", ret, rawstr);
152  goto error;
153  }
154 
155  de = SCMalloc(sizeof(DetectThresholdData));
156  if (unlikely(de == NULL))
157  goto error;
158 
159  memset(de,0,sizeof(DetectThresholdData));
160 
161  for (i = 0; i < (ret - 1); i++) {
162 
163  res = pcre_get_substring((char *)rawstr, ov, MAX_SUBSTRINGS,i + 1, &str_ptr);
164 
165  if (res < 0) {
166  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
167  goto error;
168  }
169 
170  args[i] = (char *)str_ptr;
171 
172  if (strncasecmp(args[i],"limit",strlen("limit")) == 0)
173  de->type = TYPE_LIMIT;
174  if (strncasecmp(args[i],"both",strlen("both")) == 0)
175  de->type = TYPE_BOTH;
176  if (strncasecmp(args[i],"threshold",strlen("threshold")) == 0)
177  de->type = TYPE_THRESHOLD;
178  if (strncasecmp(args[i],"by_dst",strlen("by_dst")) == 0)
179  de->track = TRACK_DST;
180  if (strncasecmp(args[i],"by_src",strlen("by_src")) == 0)
181  de->track = TRACK_SRC;
182  if (strncasecmp(args[i],"by_both",strlen("by_both")) == 0)
183  de->track = TRACK_BOTH;
184  if (strncasecmp(args[i],"by_rule",strlen("by_rule")) == 0)
185  de->track = TRACK_RULE;
186  if (strncasecmp(args[i],"count",strlen("count")) == 0)
187  count_pos = i+1;
188  if (strncasecmp(args[i],"seconds",strlen("seconds")) == 0)
189  second_pos = i+1;
190  }
191 
192  if (args[count_pos] == NULL || args[second_pos] == NULL) {
193  goto error;
194  }
195 
196  if (StringParseUint32(&de->count, 10, strlen(args[count_pos]),
197  args[count_pos]) <= 0) {
198  goto error;
199  }
200 
201  if (StringParseUint32(&de->seconds, 10, strlen(args[second_pos]),
202  args[second_pos]) <= 0) {
203  goto error;
204  }
205 
206  for (i = 0; i < (ret - 1); i++){
207  if (args[i] != NULL) SCFree(args[i]);
208  }
209  return de;
210 
211 error:
212  for (i = 0; i < (ret - 1); i++){
213  if (args[i] != NULL) SCFree(args[i]);
214  }
215  if (de != NULL)
216  SCFree(de);
217  return NULL;
218 }
219 
220 /**
221  * \internal
222  * \brief this function is used to add the parsed threshold into the current signature
223  *
224  * \param de_ctx pointer to the Detection Engine Context
225  * \param s pointer to the Current Signature
226  * \param rawstr pointer to the user provided threshold options
227  *
228  * \retval 0 on Success
229  * \retval -1 on Failure
230  */
231 static int DetectThresholdSetup(DetectEngineCtx *de_ctx, Signature *s, const char *rawstr)
232 {
233  DetectThresholdData *de = NULL;
234  SigMatch *sm = NULL;
235  SigMatch *tmpm = NULL;
236 
237  /* checks if there is a previous instance of detection_filter */
238  tmpm = DetectGetLastSMFromLists(s, DETECT_THRESHOLD, DETECT_DETECTION_FILTER, -1);
239  if (tmpm != NULL) {
240  if (tmpm->type == DETECT_DETECTION_FILTER) {
241  SCLogError(SC_ERR_INVALID_SIGNATURE, "\"detection_filter\" and "
242  "\"threshold\" are not allowed in the same rule");
243  } else {
244  SCLogError(SC_ERR_INVALID_SIGNATURE, "multiple \"threshold\" "
245  "options are not allowed in the same rule");
246  }
247  SCReturnInt(-1);
248  }
249 
250  de = DetectThresholdParse(rawstr);
251  if (de == NULL)
252  goto error;
253 
254  if (de->track == TRACK_RULE)
255  ThresholdHashRealloc(de_ctx);
256 
257  sm = SigMatchAlloc();
258  if (sm == NULL)
259  goto error;
260 
261  sm->type = DETECT_THRESHOLD;
262  sm->ctx = (SigMatchCtx *)de;
263 
264  SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_THRESHOLD);
265 
266  return 0;
267 
268 error:
269  if (de) SCFree(de);
270  if (sm) SCFree(sm);
271  return -1;
272 }
273 
274 /**
275  * \internal
276  * \brief this function will free memory associated with DetectThresholdData
277  *
278  * \param de pointer to DetectThresholdData
279  */
280 static void DetectThresholdFree(DetectEngineCtx *de_ctx, void *de_ptr)
281 {
282  DetectThresholdData *de = (DetectThresholdData *)de_ptr;
283  if (de) {
284  DetectAddressHeadCleanup(&de->addrs);
285  SCFree(de);
286  }
287 }
288 
289 /*
290  * ONLY TESTS BELOW THIS COMMENT
291  */
292 #ifdef UNITTESTS
293 #include "detect-engine.h"
294 #include "detect-engine-mpm.h"
295 #include "util-time.h"
296 #include "util-hashlist.h"
297 
298 /**
299  * \test ThresholdTestParse01 is a test for a valid threshold options
300  *
301  * \retval 1 on success
302  * \retval 0 on failure
303  */
304 static int ThresholdTestParse01(void)
305 {
306  DetectThresholdData *de = NULL;
307  de = DetectThresholdParse("type limit,track by_dst,count 10,seconds 60");
308  if (de && (de->type == TYPE_LIMIT) && (de->track == TRACK_DST) && (de->count == 10) && (de->seconds == 60)) {
309  DetectThresholdFree(NULL, de);
310  return 1;
311  }
312 
313  return 0;
314 }
315 
316 /**
317  * \test ThresholdTestParse02 is a test for a invalid threshold options
318  *
319  * \retval 1 on success
320  * \retval 0 on failure
321  */
322 static int ThresholdTestParse02(void)
323 {
324  DetectThresholdData *de = NULL;
325  de = DetectThresholdParse("type any,track by_dst,count 10,seconds 60");
326  if (de && (de->type == TYPE_LIMIT) && (de->track == TRACK_DST) && (de->count == 10) && (de->seconds == 60)) {
327  DetectThresholdFree(NULL, de);
328  return 0;
329  }
330 
331  return 1;
332 }
333 
334 /**
335  * \test ThresholdTestParse03 is a test for a valid threshold options in any order
336  *
337  * \retval 1 on success
338  * \retval 0 on failure
339  */
340 static int ThresholdTestParse03(void)
341 {
342  DetectThresholdData *de = NULL;
343  de = DetectThresholdParse("track by_dst, type limit, seconds 60, count 10");
344  if (de && (de->type == TYPE_LIMIT) && (de->track == TRACK_DST) && (de->count == 10) && (de->seconds == 60)) {
345  DetectThresholdFree(NULL, de);
346  return 1;
347  }
348 
349  return 0;
350 }
351 
352 
353 /**
354  * \test ThresholdTestParse04 is a test for an invalid threshold options in any order
355  *
356  * \retval 1 on success
357  * \retval 0 on failure
358  */
359 static int ThresholdTestParse04(void)
360 {
361  DetectThresholdData *de = NULL;
362  de = DetectThresholdParse("count 10, track by_dst, seconds 60, type both, count 10");
363  if (de && (de->type == TYPE_BOTH) && (de->track == TRACK_DST) && (de->count == 10) && (de->seconds == 60)) {
364  DetectThresholdFree(NULL, de);
365  return 0;
366  }
367 
368  return 1;
369 }
370 
371 /**
372  * \test ThresholdTestParse05 is a test for a valid threshold options in any order
373  *
374  * \retval 1 on success
375  * \retval 0 on failure
376  */
377 static int ThresholdTestParse05(void)
378 {
379  DetectThresholdData *de = NULL;
380  de = DetectThresholdParse("count 10, track by_dst, seconds 60, type both");
381  if (de && (de->type == TYPE_BOTH) && (de->track == TRACK_DST) && (de->count == 10) && (de->seconds == 60)) {
382  DetectThresholdFree(NULL, de);
383  return 1;
384  }
385 
386  return 0;
387 }
388 
389 /**
390  * \test ThresholdTestParse06 is a test for thresholding by_both
391  *
392  * \retval 1 on success
393  * \retval 0 on failure
394  */
395 static int ThresholdTestParse06(void)
396 {
397  DetectThresholdData *de = NULL;
398  de = DetectThresholdParse("count 10, track by_both, seconds 60, type limit");
399  FAIL_IF_NULL(de);
400  FAIL_IF_NOT(de->type == TYPE_LIMIT);
401  FAIL_IF_NOT(de->track == TRACK_BOTH);
402  FAIL_IF_NOT(de->count == 10);
403  FAIL_IF_NOT(de->seconds == 60);
404  DetectThresholdFree(NULL, de);
405  PASS;
406 }
407 
408 /**
409  * \test ThresholdTestParse07 is a test for thresholding by_rule
410  *
411  * \retval 1 on success
412  * \retval 0 on failure
413  */
414 static int ThresholdTestParse07(void)
415 {
416  DetectThresholdData *de = NULL;
417  de = DetectThresholdParse("count 10, track by_rule, seconds 60, type limit");
418  FAIL_IF_NULL(de);
419  FAIL_IF_NOT(de->type == TYPE_LIMIT);
420  FAIL_IF_NOT(de->track == TRACK_RULE);
421  FAIL_IF_NOT(de->count == 10);
422  FAIL_IF_NOT(de->seconds == 60);
423  DetectThresholdFree(NULL, de);
424  PASS;
425 }
426 
427 /**
428  * \test DetectThresholdTestSig1 is a test for checking the working of limit keyword
429  * by setting up the signature and later testing its working by matching
430  * the received packet against the sig.
431  *
432  * \retval 1 on success
433  * \retval 0 on failure
434  */
435 
436 static int DetectThresholdTestSig1(void)
437 {
438  Packet *p = NULL;
439  Signature *s = NULL;
440  ThreadVars th_v;
441  DetectEngineThreadCtx *det_ctx;
442  int result = 0;
443  int alerts = 0;
444 
445  HostInitConfig(HOST_QUIET);
446 
447  memset(&th_v, 0, sizeof(th_v));
448 
449  p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
450 
451  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
452  if (de_ctx == NULL) {
453  goto end;
454  }
455 
456  de_ctx->flags |= DE_QUIET;
457 
458  s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold limit\"; content:\"A\"; threshold: type limit, track by_dst, count 5, seconds 60; sid:1;)");
459  if (s == NULL) {
460  goto end;
461  }
462 
463  SigGroupBuild(de_ctx);
464 
465  if (s->flags & SIG_FLAG_IPONLY) {
466  printf("signature is ip-only: ");
467  goto end;
468  }
469 
470  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
471 
472  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
473  alerts = PacketAlertCheck(p, 1);
474  if (alerts != 1) {
475  printf("alerts %"PRIi32", expected 1: ", alerts);
476  }
477  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
478  alerts += PacketAlertCheck(p, 1);
479  if (alerts != 2) {
480  printf("alerts %"PRIi32", expected 2: ", alerts);
481  }
482  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
483  alerts += PacketAlertCheck(p, 1);
484  if (alerts != 3) {
485  printf("alerts %"PRIi32", expected 3: ", alerts);
486  }
487  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
488  alerts += PacketAlertCheck(p, 1);
489  if (alerts != 4) {
490  printf("alerts %"PRIi32", expected 4: ", alerts);
491  }
492  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
493  alerts += PacketAlertCheck(p, 1);
494  if (alerts != 5) {
495  printf("alerts %"PRIi32", expected 5: ", alerts);
496  }
497  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
498  alerts += PacketAlertCheck(p, 1);
499  if (alerts != 5) {
500  printf("alerts %"PRIi32", expected 5: ", alerts);
501  }
502  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
503  alerts += PacketAlertCheck(p, 1);
504  if (alerts != 5) {
505  printf("alerts %"PRIi32", expected 5: ", alerts);
506  }
507  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
508  alerts += PacketAlertCheck(p, 1);
509  if (alerts != 5) {
510  printf("alerts %"PRIi32", expected 5: ", alerts);
511  }
512 
513  if(alerts == 5)
514  result = 1;
515  else
516  printf("alerts %"PRIi32", expected 5: ", alerts);
517 
518  SigGroupCleanup(de_ctx);
519  SigCleanSignatures(de_ctx);
520 
521  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
522  DetectEngineCtxFree(de_ctx);
523 
524  UTHFreePackets(&p, 1);
525 
526  HostShutdown();
527 end:
528  return result;
529 }
530 
531 /**
532  * \test DetectThresholdTestSig2 is a test for checking the working of threshold keyword
533  * by setting up the signature and later testing its working by matching
534  * the received packet against the sig.
535  *
536  * \retval 1 on success
537  * \retval 0 on failure
538  */
539 
540 static int DetectThresholdTestSig2(void)
541 {
542  Packet *p = NULL;
543  Signature *s = NULL;
544  ThreadVars th_v;
545  DetectEngineThreadCtx *det_ctx;
546  int result = 0;
547  int alerts = 0;
548 
549  HostInitConfig(HOST_QUIET);
550 
551  memset(&th_v, 0, sizeof(th_v));
552 
553  p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
554 
555  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
556  if (de_ctx == NULL) {
557  goto end;
558  }
559 
560  de_ctx->flags |= DE_QUIET;
561 
562  s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold\"; threshold: type threshold, track by_dst, count 5, seconds 60; sid:1;)");
563  if (s == NULL) {
564  goto end;
565  }
566 
567  SigGroupBuild(de_ctx);
568  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
569 
570  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
571  alerts = PacketAlertCheck(p, 1);
572  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
573  alerts += PacketAlertCheck(p, 1);
574  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
575  alerts += PacketAlertCheck(p, 1);
576  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
577  alerts += PacketAlertCheck(p, 1);
578  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
579  alerts += PacketAlertCheck(p, 1);
580  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
581  alerts += PacketAlertCheck(p, 1);
582  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
583  alerts += PacketAlertCheck(p, 1);
584  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
585  alerts += PacketAlertCheck(p, 1);
586  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
587  alerts += PacketAlertCheck(p, 1);
588  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
589  alerts += PacketAlertCheck(p, 1);
590 
591  if (alerts == 2)
592  result = 1;
593  else
594  goto cleanup;
595 
596 cleanup:
597  SigGroupCleanup(de_ctx);
598  SigCleanSignatures(de_ctx);
599 
600  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
601  DetectEngineCtxFree(de_ctx);
602 
603 end:
604  UTHFreePackets(&p, 1);
605  HostShutdown();
606  return result;
607 }
608 
609 /**
610  * \test DetectThresholdTestSig3 is a test for checking the working of limit keyword
611  * by setting up the signature and later testing its working by matching
612  * the received packet against the sig.
613  *
614  * \retval 1 on success
615  * \retval 0 on failure
616  */
617 
618 static int DetectThresholdTestSig3(void)
619 {
620  Packet *p = NULL;
621  Signature *s = NULL;
622  ThreadVars th_v;
623  DetectEngineThreadCtx *det_ctx;
624  int result = 0;
625  int alerts = 0;
626  struct timeval ts;
627  DetectThresholdEntry *lookup_tsh = NULL;
628 
629  HostInitConfig(HOST_QUIET);
630 
631  memset (&ts, 0, sizeof(struct timeval));
632  TimeGet(&ts);
633 
634  memset(&th_v, 0, sizeof(th_v));
635 
636  p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
637 
638  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
639  if (de_ctx == NULL) {
640  goto end;
641  }
642 
643  de_ctx->flags |= DE_QUIET;
644 
645  s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold limit\"; threshold: type limit, track by_dst, count 5, seconds 60; sid:10;)");
646  if (s == NULL) {
647  goto end;
648  }
649 
650  SigGroupBuild(de_ctx);
651  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
652 
653  TimeGet(&p->ts);
654 
655  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
656  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
657  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
658 
659  Host *host = HostLookupHostFromHash(&p->dst);
660  if (host == NULL) {
661  printf("host not found: ");
662  goto cleanup;
663  }
664 
665  if (!(ThresholdHostHasThreshold(host))) {
666  HostRelease(host);
667  printf("host has no threshold: ");
668  goto cleanup;
669  }
670  HostRelease(host);
671 
672  TimeSetIncrementTime(200);
673  TimeGet(&p->ts);
674 
675  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
676  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
677  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
678 
679  host = HostLookupHostFromHash(&p->dst);
680  if (host == NULL) {
681  printf("host not found: ");
682  goto cleanup;
683  }
684  HostRelease(host);
685 
686  lookup_tsh = HostGetStorageById(host, ThresholdHostStorageId());
687  if (lookup_tsh == NULL) {
688  HostRelease(host);
689  printf("lookup_tsh is NULL: ");
690  goto cleanup;
691  }
692 
693  alerts = lookup_tsh->current_count;
694 
695  if (alerts == 3)
696  result = 1;
697  else {
698  printf("alerts %u != 3: ", alerts);
699  goto cleanup;
700  }
701 
702 cleanup:
703  SigGroupCleanup(de_ctx);
704  SigCleanSignatures(de_ctx);
705 
706  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
707  DetectEngineCtxFree(de_ctx);
708 end:
709  UTHFreePackets(&p, 1);
710  HostShutdown();
711  return result;
712 }
713 
714 /**
715  * \test DetectThresholdTestSig4 is a test for checking the working of both keyword
716  * by setting up the signature and later testing its working by matching
717  * the received packet against the sig.
718  *
719  * \retval 1 on success
720  * \retval 0 on failure
721  */
722 
723 static int DetectThresholdTestSig4(void)
724 {
725  Packet *p = NULL;
726  Signature *s = NULL;
727  ThreadVars th_v;
728  DetectEngineThreadCtx *det_ctx;
729  int result = 0;
730  int alerts = 0;
731  struct timeval ts;
732 
733  HostInitConfig(HOST_QUIET);
734 
735  memset (&ts, 0, sizeof(struct timeval));
736  TimeGet(&ts);
737 
738  memset(&th_v, 0, sizeof(th_v));
739 
740  p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
741 
742  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
743  if (de_ctx == NULL) {
744  goto end;
745  }
746 
747  de_ctx->flags |= DE_QUIET;
748 
749  s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold both\"; threshold: type both, track by_dst, count 2, seconds 60; sid:10;)");
750  if (s == NULL) {
751  goto end;
752  }
753 
754  SigGroupBuild(de_ctx);
755  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
756 
757  TimeGet(&p->ts);
758  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
759  alerts = PacketAlertCheck(p, 10);
760  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
761  alerts += PacketAlertCheck(p, 10);
762  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
763  alerts += PacketAlertCheck(p, 10);
764 
765  TimeSetIncrementTime(200);
766  TimeGet(&p->ts);
767 
768  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
769  alerts += PacketAlertCheck(p, 10);
770  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
771  alerts += PacketAlertCheck(p, 10);
772  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
773  alerts += PacketAlertCheck(p, 10);
774 
775  if (alerts == 2)
776  result = 1;
777  else
778  goto cleanup;
779 
780 cleanup:
781  SigGroupCleanup(de_ctx);
782  SigCleanSignatures(de_ctx);
783 
784  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
785  DetectEngineCtxFree(de_ctx);
786 end:
787  UTHFreePackets(&p, 1);
788  HostShutdown();
789  return result;
790 }
791 
792 /**
793  * \test DetectThresholdTestSig5 is a test for checking the working of limit keyword
794  * by setting up the signature and later testing its working by matching
795  * the received packet against the sig.
796  *
797  * \retval 1 on success
798  * \retval 0 on failure
799  */
800 
801 static int DetectThresholdTestSig5(void)
802 {
803  Packet *p = NULL;
804  Signature *s = NULL;
805  ThreadVars th_v;
806  DetectEngineThreadCtx *det_ctx;
807  int result = 0;
808  int alerts = 0;
809 
810  HostInitConfig(HOST_QUIET);
811 
812  memset(&th_v, 0, sizeof(th_v));
813  p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
814 
815  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
816  if (de_ctx == NULL) {
817  goto end;
818  }
819 
820  de_ctx->flags |= DE_QUIET;
821 
822  s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold limit sid 1\"; threshold: type limit, track by_dst, count 5, seconds 60; sid:1;)");
823  if (s == NULL) {
824  goto end;
825  }
826 
827  s = s->next = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold limit sid 1000\"; threshold: type limit, track by_dst, count 5, seconds 60; sid:1000;)");
828  if (s == NULL) {
829  goto end;
830  }
831 
832  SigGroupBuild(de_ctx);
833  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
834 
835  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
836  alerts = PacketAlertCheck(p, 1);
837  alerts += PacketAlertCheck(p, 1000);
838  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
839  alerts += PacketAlertCheck(p, 1);
840  alerts += PacketAlertCheck(p, 1000);
841  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
842  alerts += PacketAlertCheck(p, 1);
843  alerts += PacketAlertCheck(p, 1000);
844  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
845  alerts += PacketAlertCheck(p, 1);
846  alerts += PacketAlertCheck(p, 1000);
847  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
848  alerts += PacketAlertCheck(p, 1);
849  alerts += PacketAlertCheck(p, 1000);
850  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
851  alerts += PacketAlertCheck(p, 1);
852  alerts += PacketAlertCheck(p, 1000);
853  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
854  alerts += PacketAlertCheck(p, 1);
855  alerts += PacketAlertCheck(p, 1000);
856  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
857  alerts += PacketAlertCheck(p, 1);
858  alerts += PacketAlertCheck(p, 1000);
859 
860  if(alerts == 10)
861  result = 1;
862  else {
863  printf("alerts %d != 10: ", alerts);
864  goto cleanup;
865  }
866 
867 cleanup:
868  SigGroupCleanup(de_ctx);
869  SigCleanSignatures(de_ctx);
870 
871  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
872  DetectEngineCtxFree(de_ctx);
873 
874 end:
875  UTHFreePackets(&p, 1);
876  HostShutdown();
877  return result;
878 }
879 
880 static int DetectThresholdTestSig6Ticks(void)
881 {
882  Packet *p = NULL;
883  Signature *s = NULL;
884  ThreadVars th_v;
885  DetectEngineThreadCtx *det_ctx;
886  int result = 0;
887  int alerts = 0;
888 
889  HostInitConfig(HOST_QUIET);
890 
891  memset(&th_v, 0, sizeof(th_v));
892  p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
893 
894  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
895  if (de_ctx == NULL) {
896  goto end;
897  }
898 
899  de_ctx->flags |= DE_QUIET;
900 
901  s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold limit sid 1\"; threshold: type limit, track by_dst, count 5, seconds 60; sid:1;)");
902  if (s == NULL) {
903  goto end;
904  }
905 
906  s = s->next = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold limit sid 1000\"; threshold: type limit, track by_dst, count 5, seconds 60; sid:1000;)");
907  if (s == NULL) {
908  goto end;
909  }
910 
911  SigGroupBuild(de_ctx);
912  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
913 
914  uint64_t ticks_start = 0;
915  uint64_t ticks_end = 0;
916 
917  ticks_start = UtilCpuGetTicks();
918  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
919  alerts = PacketAlertCheck(p, 1);
920  alerts += PacketAlertCheck(p, 1000);
921  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
922  alerts += PacketAlertCheck(p, 1);
923  alerts += PacketAlertCheck(p, 1000);
924  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
925  alerts += PacketAlertCheck(p, 1);
926  alerts += PacketAlertCheck(p, 1000);
927  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
928  alerts += PacketAlertCheck(p, 1);
929  alerts += PacketAlertCheck(p, 1000);
930  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
931  alerts += PacketAlertCheck(p, 1);
932  alerts += PacketAlertCheck(p, 1000);
933  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
934  alerts += PacketAlertCheck(p, 1);
935  alerts += PacketAlertCheck(p, 1000);
936  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
937  alerts += PacketAlertCheck(p, 1);
938  alerts += PacketAlertCheck(p, 1000);
939  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
940  alerts += PacketAlertCheck(p, 1);
941  alerts += PacketAlertCheck(p, 1000);
942  ticks_end = UtilCpuGetTicks();
943  printf("test run %"PRIu64"\n", (ticks_end - ticks_start));
944 
945  if(alerts == 10)
946  result = 1;
947  else
948  goto cleanup;
949 
950 cleanup:
951  SigGroupCleanup(de_ctx);
952  SigCleanSignatures(de_ctx);
953 
954  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
955  DetectEngineCtxFree(de_ctx);
956 
957 end:
958  UTHFreePackets(&p, 1);
959  HostShutdown();
960  return result;
961 }
962 
963 /**
964  * \test Test drop action being set even if thresholded
965  */
966 static int DetectThresholdTestSig7(void)
967 {
968  Packet *p = NULL;
969  Signature *s = NULL;
970  ThreadVars th_v;
971  DetectEngineThreadCtx *det_ctx;
972  int result = 0;
973  int alerts = 0;
974  int drops = 0;
975  struct timeval ts;
976 
977  HostInitConfig(HOST_QUIET);
978 
979  memset (&ts, 0, sizeof(struct timeval));
980  TimeGet(&ts);
981 
982  memset(&th_v, 0, sizeof(th_v));
983 
984  p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
985 
986  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
987  if (de_ctx == NULL) {
988  goto end;
989  }
990 
991  de_ctx->flags |= DE_QUIET;
992 
993  s = de_ctx->sig_list = SigInit(de_ctx,"drop tcp any any -> any 80 (threshold: type limit, track by_src, count 1, seconds 300; sid:10;)");
994  if (s == NULL) {
995  goto end;
996  }
997 
998  SigGroupBuild(de_ctx);
999  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1000 
1001  TimeGet(&p->ts);
1002  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1003  alerts = PacketAlertCheck(p, 10);
1004  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
1005  p->action = 0;
1006 
1007  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1008  alerts += PacketAlertCheck(p, 10);
1009  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
1010  p->action = 0;
1011 
1012  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1013  alerts += PacketAlertCheck(p, 10);
1014  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
1015  p->action = 0;
1016 
1017  TimeSetIncrementTime(200);
1018  TimeGet(&p->ts);
1019 
1020  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1021  alerts += PacketAlertCheck(p, 10);
1022  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
1023  p->action = 0;
1024 
1025  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1026  alerts += PacketAlertCheck(p, 10);
1027  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
1028  p->action = 0;
1029 
1030  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1031  alerts += PacketAlertCheck(p, 10);
1032  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
1033  p->action = 0;
1034 
1035  if (alerts == 1 && drops == 6)
1036  result = 1;
1037  else {
1038  if (alerts != 1)
1039  printf("alerts: %d != 1: ", alerts);
1040  if (drops != 6)
1041  printf("drops: %d != 6: ", drops);
1042  goto cleanup;
1043  }
1044 
1045 cleanup:
1046  SigGroupCleanup(de_ctx);
1047  SigCleanSignatures(de_ctx);
1048 
1049  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1050  DetectEngineCtxFree(de_ctx);
1051 end:
1052  UTHFreePackets(&p, 1);
1053  HostShutdown();
1054  return result;
1055 }
1056 
1057 /**
1058  * \test Test drop action being set even if thresholded
1059  */
1060 static int DetectThresholdTestSig8(void)
1061 {
1062  Packet *p = NULL;
1063  Signature *s = NULL;
1064  ThreadVars th_v;
1065  DetectEngineThreadCtx *det_ctx;
1066  int result = 0;
1067  int alerts = 0;
1068  int drops = 0;
1069  struct timeval ts;
1070 
1071  HostInitConfig(HOST_QUIET);
1072 
1073  memset (&ts, 0, sizeof(struct timeval));
1074  TimeGet(&ts);
1075 
1076  memset(&th_v, 0, sizeof(th_v));
1077 
1078  p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
1079 
1080  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1081  if (de_ctx == NULL) {
1082  goto end;
1083  }
1084 
1085  de_ctx->flags |= DE_QUIET;
1086 
1087  s = de_ctx->sig_list = SigInit(de_ctx,"drop tcp any any -> any 80 (threshold: type limit, track by_src, count 2, seconds 300; sid:10;)");
1088  if (s == NULL) {
1089  goto end;
1090  }
1091 
1092  SigGroupBuild(de_ctx);
1093  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1094 
1095  TimeGet(&p->ts);
1096  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1097  alerts = PacketAlertCheck(p, 10);
1098  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
1099  p->action = 0;
1100 
1101  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1102  alerts += PacketAlertCheck(p, 10);
1103  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
1104  p->action = 0;
1105 
1106  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1107  alerts += PacketAlertCheck(p, 10);
1108  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
1109  p->action = 0;
1110 
1111  TimeSetIncrementTime(200);
1112  TimeGet(&p->ts);
1113 
1114  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1115  alerts += PacketAlertCheck(p, 10);
1116  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
1117  p->action = 0;
1118 
1119  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1120  alerts += PacketAlertCheck(p, 10);
1121  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
1122  p->action = 0;
1123 
1124  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1125  alerts += PacketAlertCheck(p, 10);
1126  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
1127  p->action = 0;
1128 
1129  if (alerts == 2 && drops == 6)
1130  result = 1;
1131  else {
1132  if (alerts != 1)
1133  printf("alerts: %d != 1: ", alerts);
1134  if (drops != 6)
1135  printf("drops: %d != 6: ", drops);
1136  goto cleanup;
1137  }
1138 
1139 cleanup:
1140  SigGroupCleanup(de_ctx);
1141  SigCleanSignatures(de_ctx);
1142 
1143  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1144  DetectEngineCtxFree(de_ctx);
1145 end:
1146  UTHFreePackets(&p, 1);
1147  HostShutdown();
1148  return result;
1149 }
1150 
1151 /**
1152  * \test Test drop action being set even if thresholded
1153  */
1154 static int DetectThresholdTestSig9(void)
1155 {
1156  Packet *p = NULL;
1157  Signature *s = NULL;
1158  ThreadVars th_v;
1159  DetectEngineThreadCtx *det_ctx;
1160  int result = 0;
1161  int alerts = 0;
1162  int drops = 0;
1163  struct timeval ts;
1164 
1165  HostInitConfig(HOST_QUIET);
1166 
1167  memset (&ts, 0, sizeof(struct timeval));
1168  TimeGet(&ts);
1169 
1170  memset(&th_v, 0, sizeof(th_v));
1171 
1172  p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
1173 
1174  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1175  if (de_ctx == NULL) {
1176  goto end;
1177  }
1178 
1179  de_ctx->flags |= DE_QUIET;
1180 
1181  s = de_ctx->sig_list = SigInit(de_ctx,"drop tcp any any -> any 80 (threshold: type threshold, track by_src, count 3, seconds 100; sid:10;)");
1182  if (s == NULL) {
1183  goto end;
1184  }
1185 
1186  SigGroupBuild(de_ctx);
1187  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1188 
1189  TimeGet(&p->ts);
1190  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1191  alerts = PacketAlertCheck(p, 10);
1192  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
1193  p->action = 0;
1194 
1195  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1196  alerts += PacketAlertCheck(p, 10);
1197  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
1198  p->action = 0;
1199 
1200  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1201  alerts += PacketAlertCheck(p, 10);
1202  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
1203  p->action = 0;
1204 
1205  TimeSetIncrementTime(200);
1206  TimeGet(&p->ts);
1207 
1208  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1209  alerts += PacketAlertCheck(p, 10);
1210  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
1211  p->action = 0;
1212 
1213  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1214  alerts += PacketAlertCheck(p, 10);
1215  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
1216  p->action = 0;
1217 
1218  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1219  alerts += PacketAlertCheck(p, 10);
1220  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
1221  p->action = 0;
1222 
1223  if (alerts == 2 && drops == 2)
1224  result = 1;
1225  else {
1226  if (alerts != 2)
1227  printf("alerts: %d != 2: ", alerts);
1228  if (drops != 2)
1229  printf("drops: %d != 2: ", drops);
1230  goto cleanup;
1231  }
1232 
1233 cleanup:
1234  SigGroupCleanup(de_ctx);
1235  SigCleanSignatures(de_ctx);
1236 
1237  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1238  DetectEngineCtxFree(de_ctx);
1239 end:
1240  UTHFreePackets(&p, 1);
1241  HostShutdown();
1242  return result;
1243 }
1244 
1245 /**
1246  * \test Test drop action being set even if thresholded
1247  */
1248 static int DetectThresholdTestSig10(void)
1249 {
1250  Packet *p = NULL;
1251  Signature *s = NULL;
1252  ThreadVars th_v;
1253  DetectEngineThreadCtx *det_ctx;
1254  int result = 0;
1255  int alerts = 0;
1256  int drops = 0;
1257  struct timeval ts;
1258 
1259  HostInitConfig(HOST_QUIET);
1260 
1261  memset (&ts, 0, sizeof(struct timeval));
1262  TimeGet(&ts);
1263 
1264  memset(&th_v, 0, sizeof(th_v));
1265 
1266  p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
1267 
1268  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1269  if (de_ctx == NULL) {
1270  goto end;
1271  }
1272 
1273  de_ctx->flags |= DE_QUIET;
1274 
1275  s = de_ctx->sig_list = SigInit(de_ctx,"drop tcp any any -> any 80 (threshold: type threshold, track by_src, count 5, seconds 300; sid:10;)");
1276  if (s == NULL) {
1277  goto end;
1278  }
1279 
1280  SigGroupBuild(de_ctx);
1281  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1282 
1283  TimeGet(&p->ts);
1284  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1285  alerts = PacketAlertCheck(p, 10);
1286  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
1287  p->action = 0;
1288 
1289  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1290  alerts += PacketAlertCheck(p, 10);
1291  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
1292  p->action = 0;
1293 
1294  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1295  alerts += PacketAlertCheck(p, 10);
1296  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
1297  p->action = 0;
1298 
1299  TimeSetIncrementTime(200);
1300  TimeGet(&p->ts);
1301 
1302  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1303  alerts += PacketAlertCheck(p, 10);
1304  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
1305  p->action = 0;
1306 
1307  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1308  alerts += PacketAlertCheck(p, 10);
1309  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
1310  p->action = 0;
1311 
1312  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1313  alerts += PacketAlertCheck(p, 10);
1314  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
1315  p->action = 0;
1316 
1317  if (alerts == 1 && drops == 1)
1318  result = 1;
1319  else {
1320  if (alerts != 1)
1321  printf("alerts: %d != 1: ", alerts);
1322  if (drops != 1)
1323  printf("drops: %d != 1: ", drops);
1324  goto cleanup;
1325  }
1326 
1327 cleanup:
1328  SigGroupCleanup(de_ctx);
1329  SigCleanSignatures(de_ctx);
1330 
1331  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1332  DetectEngineCtxFree(de_ctx);
1333 end:
1334  UTHFreePackets(&p, 1);
1335  HostShutdown();
1336  return result;
1337 }
1338 
1339 /**
1340  * \test Test drop action being set even if thresholded
1341  */
1342 static int DetectThresholdTestSig11(void)
1343 {
1344  Packet *p = NULL;
1345  Signature *s = NULL;
1346  ThreadVars th_v;
1347  DetectEngineThreadCtx *det_ctx;
1348  int result = 0;
1349  int alerts = 0;
1350  int drops = 0;
1351  struct timeval ts;
1352 
1353  HostInitConfig(HOST_QUIET);
1354 
1355  memset (&ts, 0, sizeof(struct timeval));
1356  TimeGet(&ts);
1357 
1358  memset(&th_v, 0, sizeof(th_v));
1359 
1360  p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
1361 
1362  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1363  if (de_ctx == NULL) {
1364  goto end;
1365  }
1366 
1367  de_ctx->flags |= DE_QUIET;
1368 
1369  s = de_ctx->sig_list = SigInit(de_ctx,"drop tcp any any -> any 80 (threshold: type both, track by_src, count 3, seconds 300; sid:10;)");
1370  if (s == NULL) {
1371  goto end;
1372  }
1373 
1374  SigGroupBuild(de_ctx);
1375  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1376 
1377  TimeGet(&p->ts);
1378  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1379  alerts = PacketAlertCheck(p, 10);
1380  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
1381  p->action = 0;
1382 
1383  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1384  alerts += PacketAlertCheck(p, 10);
1385  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
1386  p->action = 0;
1387 
1388  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1389  alerts += PacketAlertCheck(p, 10);
1390  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
1391  p->action = 0;
1392 
1393  TimeSetIncrementTime(200);
1394  TimeGet(&p->ts);
1395 
1396  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1397  alerts += PacketAlertCheck(p, 10);
1398  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
1399  p->action = 0;
1400 
1401  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1402  alerts += PacketAlertCheck(p, 10);
1403  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
1404  p->action = 0;
1405 
1406  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1407  alerts += PacketAlertCheck(p, 10);
1408  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
1409  p->action = 0;
1410 
1411  if (alerts == 1 && drops == 4)
1412  result = 1;
1413  else {
1414  if (alerts != 1)
1415  printf("alerts: %d != 1: ", alerts);
1416  if (drops != 4)
1417  printf("drops: %d != 4: ", drops);
1418  goto cleanup;
1419  }
1420 
1421 cleanup:
1422  SigGroupCleanup(de_ctx);
1423  SigCleanSignatures(de_ctx);
1424 
1425  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1426  DetectEngineCtxFree(de_ctx);
1427 end:
1428  UTHFreePackets(&p, 1);
1429  HostShutdown();
1430  return result;
1431 }
1432 
1433 /**
1434  * \test Test drop action being set even if thresholded
1435  */
1436 static int DetectThresholdTestSig12(void)
1437 {
1438  Packet *p = NULL;
1439  Signature *s = NULL;
1440  ThreadVars th_v;
1441  DetectEngineThreadCtx *det_ctx;
1442  int result = 0;
1443  int alerts = 0;
1444  int drops = 0;
1445  struct timeval ts;
1446 
1447  HostInitConfig(HOST_QUIET);
1448 
1449  memset (&ts, 0, sizeof(struct timeval));
1450  TimeGet(&ts);
1451 
1452  memset(&th_v, 0, sizeof(th_v));
1453 
1454  p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
1455 
1456  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1457  if (de_ctx == NULL) {
1458  goto end;
1459  }
1460 
1461  de_ctx->flags |= DE_QUIET;
1462 
1463  s = de_ctx->sig_list = SigInit(de_ctx,"drop tcp any any -> any 80 (threshold: type both, track by_src, count 5, seconds 300; sid:10;)");
1464  if (s == NULL) {
1465  goto end;
1466  }
1467 
1468  SigGroupBuild(de_ctx);
1469  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1470 
1471  TimeGet(&p->ts);
1472  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1473  alerts = PacketAlertCheck(p, 10);
1474  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
1475  p->action = 0;
1476 
1477  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1478  alerts += PacketAlertCheck(p, 10);
1479  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
1480  p->action = 0;
1481 
1482  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1483  alerts += PacketAlertCheck(p, 10);
1484  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
1485  p->action = 0;
1486 
1487  TimeSetIncrementTime(200);
1488  TimeGet(&p->ts);
1489 
1490  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1491  alerts += PacketAlertCheck(p, 10);
1492  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
1493  p->action = 0;
1494 
1495  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1496  alerts += PacketAlertCheck(p, 10);
1497  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
1498  p->action = 0;
1499 
1500  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1501  alerts += PacketAlertCheck(p, 10);
1502  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
1503  p->action = 0;
1504 
1505  if (alerts == 1 && drops == 2)
1506  result = 1;
1507  else {
1508  if (alerts != 1)
1509  printf("alerts: %d != 1: ", alerts);
1510  if (drops != 2)
1511  printf("drops: %d != 2: ", drops);
1512  goto cleanup;
1513  }
1514 
1515 cleanup:
1516  SigGroupCleanup(de_ctx);
1517  SigCleanSignatures(de_ctx);
1518 
1519  DetectEngineThreadCtxDeinit(&th_v, (void*)det_ctx);
1520  DetectEngineCtxFree(de_ctx);
1521 end:
1522  UTHFreePackets(&p, 1);
1523  HostShutdown();
1524  return result;
1525 }
1526 
1527 /**
1528  * \test DetectThresholdTestSig13 is a test for checking the working by_rule limits
1529  * by setting up the signature and later testing its working by matching
1530  * received packets against the sig.
1531  *
1532  * \retval 1 on success
1533  * \retval 0 on failure
1534  */
1535 
1536 static int DetectThresholdTestSig13(void)
1537 {
1538  Packet *p = NULL;
1539  Signature *s = NULL;
1540  ThreadVars th_v;
1541  DetectEngineThreadCtx *det_ctx;
1542  int alerts = 0;
1543 
1544  HostInitConfig(HOST_QUIET);
1545 
1546  memset(&th_v, 0, sizeof(th_v));
1547  p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
1548  FAIL_IF_NULL(p);
1549 
1550  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1551  FAIL_IF_NULL(de_ctx);
1552 
1553  de_ctx->flags |= DE_QUIET;
1554 
1555  s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold limit sid 1\"; threshold: type limit, track by_rule, count 2, seconds 60; sid:1;)");
1556  FAIL_IF_NULL(s);
1557 
1558  SigGroupBuild(de_ctx);
1559  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1560  ThresholdHashRealloc(de_ctx);
1561 
1562  /* should alert twice */
1563  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1564  alerts += PacketAlertCheck(p, 1);
1565  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1566  alerts += PacketAlertCheck(p, 1);
1567  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1568  alerts += PacketAlertCheck(p, 1);
1569  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1570  alerts += PacketAlertCheck(p, 1);
1571 
1572  FAIL_IF(alerts != 2);
1573 
1574  TimeSetIncrementTime(70);
1575  TimeGet(&p->ts);
1576 
1577  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1578  alerts += PacketAlertCheck(p, 1);
1579  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1580  alerts += PacketAlertCheck(p, 1);
1581  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1582  alerts += PacketAlertCheck(p, 1);
1583  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1584  alerts += PacketAlertCheck(p, 1);
1585 
1586  FAIL_IF(alerts != 4);
1587 
1588  SigGroupCleanup(de_ctx);
1589  SigCleanSignatures(de_ctx);
1590  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1591  DetectEngineCtxFree(de_ctx);
1592  UTHFreePackets(&p, 1);
1593  HostShutdown();
1594  PASS;
1595 }
1596 
1597 /**
1598  * \test DetectThresholdTestSig14 is a test for checking the working by_both limits
1599  * by setting up the signature and later testing its working by matching
1600  * received packets against the sig.
1601  *
1602  * \retval 1 on success
1603  * \retval 0 on failure
1604  */
1605 
1606 static int DetectThresholdTestSig14(void)
1607 {
1608  Packet *p1 = NULL;
1609  Packet *p2 = NULL;
1610  Signature *s = NULL;
1611  ThreadVars th_v;
1612  DetectEngineThreadCtx *det_ctx;
1613  int alerts1 = 0;
1614  int alerts2 = 0;
1615 
1616  HostInitConfig(HOST_QUIET);
1617  IPPairInitConfig(IPPAIR_QUIET);
1618 
1619  memset(&th_v, 0, sizeof(th_v));
1620  p1 = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
1621  p2 = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "3.3.3.3", 1024, 80);
1622  FAIL_IF_NULL(p1);
1623  FAIL_IF_NULL(p2);
1624 
1625  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1626  FAIL_IF_NULL(de_ctx);
1627 
1628  de_ctx->flags |= DE_QUIET;
1629 
1630  s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold limit sid 1\"; threshold: type limit, track by_both, count 2, seconds 60; sid:1;)");
1631  FAIL_IF_NULL(s);
1632 
1633  SigGroupBuild(de_ctx);
1634  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1635 
1636  /* Both p1 and p2 should alert twice */
1637  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1638  alerts1 += PacketAlertCheck(p1, 1);
1639  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1640  alerts1 += PacketAlertCheck(p1, 1);
1641  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1642  alerts1 += PacketAlertCheck(p1, 1);
1643  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1644  alerts1 += PacketAlertCheck(p1, 1);
1645 
1646  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1647  alerts2 += PacketAlertCheck(p2, 1);
1648  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1649  alerts2 += PacketAlertCheck(p2, 1);
1650  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1651  alerts2 += PacketAlertCheck(p2, 1);
1652  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1653  alerts2 += PacketAlertCheck(p2, 1);
1654 
1655  FAIL_IF(alerts1 != 2);
1656  FAIL_IF(alerts2 != 2);
1657 
1658  TimeSetIncrementTime(70);
1659  TimeGet(&p1->ts);
1660  TimeGet(&p2->ts);
1661 
1662  /* Now they should both alert again after previous alerts expire */
1663  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1664  alerts1 += PacketAlertCheck(p1, 1);
1665  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1666  alerts2 += PacketAlertCheck(p2, 1);
1667 
1668  FAIL_IF(alerts1 != 3);
1669  FAIL_IF(alerts2 != 3);
1670 
1671  SigGroupCleanup(de_ctx);
1672  SigCleanSignatures(de_ctx);
1673  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1674  DetectEngineCtxFree(de_ctx);
1675  UTHFreePackets(&p1, 1);
1676  UTHFreePackets(&p2, 1);
1677  HostShutdown();
1678  PASS;
1679 }
1680 
1681 static void ThresholdRegisterTests(void)
1682 {
1683  UtRegisterTest("ThresholdTestParse01", ThresholdTestParse01);
1684  UtRegisterTest("ThresholdTestParse02", ThresholdTestParse02);
1685  UtRegisterTest("ThresholdTestParse03", ThresholdTestParse03);
1686  UtRegisterTest("ThresholdTestParse04", ThresholdTestParse04);
1687  UtRegisterTest("ThresholdTestParse05", ThresholdTestParse05);
1688  UtRegisterTest("ThresholdTestParse06", ThresholdTestParse06);
1689  UtRegisterTest("ThresholdTestParse07", ThresholdTestParse07);
1690  UtRegisterTest("DetectThresholdTestSig1", DetectThresholdTestSig1);
1691  UtRegisterTest("DetectThresholdTestSig2", DetectThresholdTestSig2);
1692  UtRegisterTest("DetectThresholdTestSig3", DetectThresholdTestSig3);
1693  UtRegisterTest("DetectThresholdTestSig4", DetectThresholdTestSig4);
1694  UtRegisterTest("DetectThresholdTestSig5", DetectThresholdTestSig5);
1695  UtRegisterTest("DetectThresholdTestSig6Ticks",
1696  DetectThresholdTestSig6Ticks);
1697  UtRegisterTest("DetectThresholdTestSig7", DetectThresholdTestSig7);
1698  UtRegisterTest("DetectThresholdTestSig8", DetectThresholdTestSig8);
1699  UtRegisterTest("DetectThresholdTestSig9", DetectThresholdTestSig9);
1700  UtRegisterTest("DetectThresholdTestSig10", DetectThresholdTestSig10);
1701  UtRegisterTest("DetectThresholdTestSig11", DetectThresholdTestSig11);
1702  UtRegisterTest("DetectThresholdTestSig12", DetectThresholdTestSig12);
1703  UtRegisterTest("DetectThresholdTestSig13", DetectThresholdTestSig13);
1704  UtRegisterTest("DetectThresholdTestSig14", DetectThresholdTestSig14);
1705 }
1706 #endif /* UNITTESTS */
1707 
1708 /**
1709  * @}
1710  */
TRACK_BOTH
#define TRACK_BOTH
Definition: detect-threshold.h:42
util-byte.h
host.h
SigTableElmt_::url
const char * url
Definition: detect.h:1213
ts
uint64_t ts
Definition: source-erf-file.c:54
detect-engine.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
host-storage.h
SigTableElmt_::desc
const char * desc
Definition: detect.h:1212
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1200
util-hashlist.h
SigTableElmt_::name
const char * name
Definition: detect.h:1210
stream-tcp.h
MAX_SUBSTRINGS
#define MAX_SUBSTRINGS
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
ThresholdHostStorageId
int ThresholdHostStorageId(void)
Definition: detect-engine-threshold.c:75
DetectAddressHeadCleanup
void DetectAddressHeadCleanup(DetectAddressHead *gh)
Cleans a DetectAddressHead. The functions frees the address group heads(ipv4 and ipv6) inside the Det...
Definition: detect-engine-address.c:1483
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:138
Packet_::action
uint8_t action
Definition: decode.h:551
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2039
DETECT_SM_LIST_THRESHOLD
@ DETECT_SM_LIST_THRESHOLD
Definition: detect.h:104
HostInitConfig
void HostInitConfig(char quiet)
initialize the configuration
Definition: host.c:173
HostRelease
void HostRelease(Host *h)
Definition: host.c:474
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1204
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:766
TYPE_LIMIT
#define TYPE_LIMIT
Definition: detect-threshold.h:31
SC_ERR_INVALID_SIGNATURE
@ SC_ERR_INVALID_SIGNATURE
Definition: util-error.h:69
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2093
TRACK_DST
#define TRACK_DST
Definition: detect-detection-filter.c:43
DE_QUIET
#define DE_QUIET
Definition: detect.h:293
DetectThresholdEntry_
Definition: detect-threshold.h:68
SC_ERR_PCRE_GET_SUBSTRING
@ SC_ERR_PCRE_GET_SUBSTRING
Definition: util-error.h:34
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:39
UTHBuildPacketReal
Packet * UTHBuildPacketReal(uint8_t *payload, uint16_t payload_len, uint8_t ipproto, const char *src, const char *dst, uint16_t sport, uint16_t dport)
UTHBuildPacketReal is a function that create tcp/udp packets for unittests specifying ip and port sou...
Definition: util-unittest-helper.c:242
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1195
ThresholdHostHasThreshold
int ThresholdHostHasThreshold(Host *host)
Definition: detect-engine-threshold.c:94
util-unittest.h
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression to true.
Definition: util-unittest.h:82
UtilCpuGetTicks
uint64_t UtilCpuGetTicks(void)
Definition: util-cpu.c:190
HostGetStorageById
void * HostGetStorageById(Host *h, int id)
Get a value from a given Host storage.
Definition: host-storage.c:84
Signature_::next
struct Signature_ * next
Definition: detect.h:599
TRACK_RULE
#define TRACK_RULE
Definition: detect-threshold.h:40
decode.h
util-debug.h
SC_ERR_PCRE_MATCH
@ SC_ERR_PCRE_MATCH
Definition: util-error.h:32
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1009
util-cpu.h
DETECT_THRESHOLD
@ DETECT_THRESHOLD
Definition: detect-engine-register.h:54
res
PoolThreadReserved res
Definition: stream-tcp-private.h:0
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2476
PARSE_REGEX
#define PARSE_REGEX
Definition: detect-threshold.c:62
detect-engine-mpm.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
de
int de
Definition: app-layer-htp.c:575
util-time.h
IPPairInitConfig
void IPPairInitConfig(char quiet)
initialize the configuration
Definition: ippair.c:168
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:322
TYPE_BOTH
#define TYPE_BOTH
Definition: detect-threshold.h:32
SigMatchSignatures
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1688
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:1943
Signature_::flags
uint32_t flags
Definition: detect.h:528
TimeSetIncrementTime
void TimeSetIncrementTime(uint32_t tv_sec)
increment the time in the engine
Definition: util-time.c:182
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options, int *ovector, int ovector_size)
Definition: detect-parse.c:2406
Packet_
Definition: decode.h:412
SIG_FLAG_IPONLY
#define SIG_FLAG_IPONLY
Definition: detect.h:219
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1178
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:235
decode-events.h
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1878
SigMatch_::type
uint8_t type
Definition: detect.h:320
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:314
IPPAIR_QUIET
#define IPPAIR_QUIET
Definition: ippair.h:90
StringParseUint32
int StringParseUint32(uint32_t *res, int base, uint16_t len, const char *str)
Definition: util-byte.c:313
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:2797
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71
Packet_::ts
struct timeval ts
Definition: decode.h:455
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3005
DetectThresholdData_
Definition: detect-threshold.h:57
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
DetectParseRegex_
Definition: detect-parse.h:42
ACTION_DROP
#define ACTION_DROP
Definition: action-globals.h:30
HOST_QUIET
#define HOST_QUIET
Definition: host.h:93
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:257
HostShutdown
void HostShutdown(void)
shutdown the flow engine
Definition: host.c:305
SCStrdup
#define SCStrdup(s)
Definition: util-mem.h:56
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:772
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
TYPE_THRESHOLD
#define TYPE_THRESHOLD
Definition: detect-threshold.h:33
DETECT_DETECTION_FILTER
@ DETECT_DETECTION_FILTER
Definition: detect-engine-register.h:97
SCFree
#define SCFree(p)
Definition: util-mem.h:61
detect-parse.h
Signature_
Signature container.
Definition: detect.h:527
SigMatch_
a single match condition for a signature
Definition: detect.h:319
detect-threshold.h
DetectThresholdRegister
void DetectThresholdRegister(void)
Registration function for threshold: keyword.
Definition: detect-threshold.c:78
TimeGet
void TimeGet(struct timeval *tv)
Definition: util-time.c:153
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2048
HostLookupHostFromHash
Host * HostLookupHostFromHash(Address *a)
look up a host in the hash
Definition: host.c:598
suricata.h
Packet_::dst
Address dst
Definition: decode.h:417
TRACK_SRC
#define TRACK_SRC
Definition: detect-detection-filter.c:44
ThresholdHashRealloc
void ThresholdHashRealloc(DetectEngineCtx *de_ctx)
Realloc threshold context hash tables.
Definition: detect-engine-threshold.c:665
DetectGetLastSMFromLists
SigMatch * DetectGetLastSMFromLists(const Signature *s,...)
Returns the sm with the largest index (added latest) from the lists passed to us.
Definition: detect-parse.c:468
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:767
Host_
Definition: host.h:58
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:304
flow-var.h
SIGMATCH_IPONLY_COMPAT
#define SIGMATCH_IPONLY_COMPAT
Definition: detect.h:1381
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:349
detect-engine-address.h
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1202
detect-engine-threshold.h
PACKET_TEST_ACTION
#define PACKET_TEST_ACTION(p, a)
Definition: decode.h:867
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:468