suricata
detect-threshold.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \ingroup threshold
20  * @{
21  */
22 
23 /**
24  * \file
25  *
26  * \author Breno Silva <breno.silva@gmail.com>
27  * \author Victor Julien <victor@inliniac.net>
28  *
29  * Implements the threshold keyword.
30  *
31  * The feature depends on what is provided
32  * by detect-engine-threshold.c and util-threshold-config.c
33  */
34 
35 #include "suricata-common.h"
36 #include "suricata.h"
37 #include "decode.h"
38 
39 #include "host.h"
40 #include "host-storage.h"
41 
42 #include "detect.h"
43 #include "detect-parse.h"
44 
45 #include "flow-var.h"
46 #include "decode-events.h"
47 #include "stream-tcp.h"
48 
49 #include "detect-threshold.h"
50 #include "detect-engine-threshold.h"
51 #include "detect-engine-address.h"
52 
53 #include "util-unittest.h"
54 #include "util-unittest-helper.h"
55 #include "util-byte.h"
56 #include "util-debug.h"
57 
58 #ifdef UNITTESTS
59 #include "util-cpu.h"
60 #endif
61 
62 #define PARSE_REGEX "^\\s*(track|type|count|seconds)\\s+(limit|both|threshold|by_dst|by_src|by_both|by_rule|\\d+)\\s*,\\s*(track|type|count|seconds)\\s+(limit|both|threshold|by_dst|by_src|by_both|by_rule|\\d+)\\s*,\\s*(track|type|count|seconds)\\s+(limit|both|threshold|by_dst|by_src|by_both|by_rule|\\d+)\\s*,\\s*(track|type|count|seconds)\\s+(limit|both|threshold|by_dst|by_src|by_both|by_rule|\\d+)\\s*"
63 
64 static DetectParseRegex parse_regex;
65 
66 static int DetectThresholdMatch(DetectEngineThreadCtx *, Packet *,
67  const Signature *, const SigMatchCtx *);
68 static int DetectThresholdSetup(DetectEngineCtx *, Signature *, const char *);
69 static void DetectThresholdFree(void *);
70 
71 /**
72  * \brief Registration function for threshold: keyword
73  */
74 
75 void DetectThresholdRegister(void)
76 {
77  sigmatch_table[DETECT_THRESHOLD].name = "threshold";
78  sigmatch_table[DETECT_THRESHOLD].desc = "control the rule's alert frequency";
79  sigmatch_table[DETECT_THRESHOLD].url = DOC_URL DOC_VERSION "/rules/thresholding.html#threshold";
80  sigmatch_table[DETECT_THRESHOLD].Match = DetectThresholdMatch;
81  sigmatch_table[DETECT_THRESHOLD].Setup = DetectThresholdSetup;
82  sigmatch_table[DETECT_THRESHOLD].Free = DetectThresholdFree;
83  sigmatch_table[DETECT_THRESHOLD].RegisterTests = ThresholdRegisterTests;
84  /* this is compatible to ip-only signatures */
85  sigmatch_table[DETECT_THRESHOLD].flags |= SIGMATCH_IPONLY_COMPAT;
86 
87  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
88 }
89 
90 static int DetectThresholdMatch(DetectEngineThreadCtx *det_ctx, Packet *p,
91  const Signature *s, const SigMatchCtx *ctx)
92 {
93  return 1;
94 }
95 
96 /**
97  * \internal
98  * \brief This function is used to parse threshold options passed via threshold: keyword
99  *
100  * \param rawstr Pointer to the user provided threshold options
101  *
102  * \retval de pointer to DetectThresholdData on success
103  * \retval NULL on failure
104  */
105 static DetectThresholdData *DetectThresholdParse(const char *rawstr)
106 {
107  DetectThresholdData *de = NULL;
108  int ret = 0, res = 0;
109  int ov[MAX_SUBSTRINGS];
110  const char *str_ptr = NULL;
111  char *args[9] = { NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL };
112  char *copy_str = NULL, *threshold_opt = NULL;
113  int second_found = 0, count_found = 0;
114  int type_found = 0, track_found = 0;
115  int second_pos = 0, count_pos = 0;
116  uint16_t pos = 0;
117  int i = 0;
118 
119  copy_str = SCStrdup(rawstr);
120  if (unlikely(copy_str == NULL)) {
121  goto error;
122  }
123 
124  char *saveptr = NULL;
125  for (pos = 0, threshold_opt = strtok_r(copy_str,",", &saveptr);
126  pos < strlen(copy_str) && threshold_opt != NULL;
127  pos++, threshold_opt = strtok_r(NULL,"," , &saveptr))
128  {
129  if(strstr(threshold_opt,"count"))
130  count_found++;
131  if(strstr(threshold_opt,"second"))
132  second_found++;
133  if(strstr(threshold_opt,"type"))
134  type_found++;
135  if(strstr(threshold_opt,"track"))
136  track_found++;
137  }
138  SCFree(copy_str);
139  copy_str = NULL;
140 
141  if(count_found != 1 || second_found != 1 || type_found != 1 || track_found != 1)
142  goto error;
143 
144  ret = DetectParsePcreExec(&parse_regex, rawstr, 0, 0, ov, MAX_SUBSTRINGS);
145  if (ret < 5) {
146  SCLogError(SC_ERR_PCRE_MATCH, "pcre_exec parse error, ret %" PRId32 ", string %s", ret, rawstr);
147  goto error;
148  }
149 
150  de = SCMalloc(sizeof(DetectThresholdData));
151  if (unlikely(de == NULL))
152  goto error;
153 
154  memset(de,0,sizeof(DetectThresholdData));
155 
156  for (i = 0; i < (ret - 1); i++) {
157 
158  res = pcre_get_substring((char *)rawstr, ov, MAX_SUBSTRINGS,i + 1, &str_ptr);
159 
160  if (res < 0) {
161  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
162  goto error;
163  }
164 
165  args[i] = (char *)str_ptr;
166 
167  if (strncasecmp(args[i],"limit",strlen("limit")) == 0)
168  de->type = TYPE_LIMIT;
169  if (strncasecmp(args[i],"both",strlen("both")) == 0)
170  de->type = TYPE_BOTH;
171  if (strncasecmp(args[i],"threshold",strlen("threshold")) == 0)
172  de->type = TYPE_THRESHOLD;
173  if (strncasecmp(args[i],"by_dst",strlen("by_dst")) == 0)
174  de->track = TRACK_DST;
175  if (strncasecmp(args[i],"by_src",strlen("by_src")) == 0)
176  de->track = TRACK_SRC;
177  if (strncasecmp(args[i],"by_both",strlen("by_both")) == 0)
178  de->track = TRACK_BOTH;
179  if (strncasecmp(args[i],"by_rule",strlen("by_rule")) == 0)
180  de->track = TRACK_RULE;
181  if (strncasecmp(args[i],"count",strlen("count")) == 0)
182  count_pos = i+1;
183  if (strncasecmp(args[i],"seconds",strlen("seconds")) == 0)
184  second_pos = i+1;
185  }
186 
187  if (args[count_pos] == NULL || args[second_pos] == NULL) {
188  goto error;
189  }
190 
191  if (StringParseUint32(&de->count, 10, strlen(args[count_pos]),
192  args[count_pos]) <= 0) {
193  goto error;
194  }
195 
196  if (StringParseUint32(&de->seconds, 10, strlen(args[second_pos]),
197  args[second_pos]) <= 0) {
198  goto error;
199  }
200 
201  for (i = 0; i < (ret - 1); i++){
202  if (args[i] != NULL) SCFree(args[i]);
203  }
204  return de;
205 
206 error:
207  for (i = 0; i < (ret - 1); i++){
208  if (args[i] != NULL) SCFree(args[i]);
209  }
210  if (de != NULL)
211  SCFree(de);
212  return NULL;
213 }
214 
215 /**
216  * \internal
217  * \brief this function is used to add the parsed threshold into the current signature
218  *
219  * \param de_ctx pointer to the Detection Engine Context
220  * \param s pointer to the Current Signature
221  * \param rawstr pointer to the user provided threshold options
222  *
223  * \retval 0 on Success
224  * \retval -1 on Failure
225  */
226 static int DetectThresholdSetup(DetectEngineCtx *de_ctx, Signature *s, const char *rawstr)
227 {
228  DetectThresholdData *de = NULL;
229  SigMatch *sm = NULL;
230  SigMatch *tmpm = NULL;
231 
232  /* checks if there is a previous instance of detection_filter */
233  tmpm = DetectGetLastSMFromLists(s, DETECT_THRESHOLD, DETECT_DETECTION_FILTER, -1);
234  if (tmpm != NULL) {
235  if (tmpm->type == DETECT_DETECTION_FILTER) {
236  SCLogError(SC_ERR_INVALID_SIGNATURE, "\"detection_filter\" and "
237  "\"threshold\" are not allowed in the same rule");
238  } else {
239  SCLogError(SC_ERR_INVALID_SIGNATURE, "multiple \"threshold\" "
240  "options are not allowed in the same rule");
241  }
242  SCReturnInt(-1);
243  }
244 
245  de = DetectThresholdParse(rawstr);
246  if (de == NULL)
247  goto error;
248 
249  if (de->track == TRACK_RULE)
250  ThresholdHashRealloc(de_ctx);
251 
252  sm = SigMatchAlloc();
253  if (sm == NULL)
254  goto error;
255 
256  sm->type = DETECT_THRESHOLD;
257  sm->ctx = (SigMatchCtx *)de;
258 
259  SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_THRESHOLD);
260 
261  return 0;
262 
263 error:
264  if (de) SCFree(de);
265  if (sm) SCFree(sm);
266  return -1;
267 }
268 
269 /**
270  * \internal
271  * \brief this function will free memory associated with DetectThresholdData
272  *
273  * \param de pointer to DetectThresholdData
274  */
275 static void DetectThresholdFree(void *de_ptr)
276 {
277  DetectThresholdData *de = (DetectThresholdData *)de_ptr;
278  if (de) {
279  DetectAddressHeadCleanup(&de->addrs);
280  SCFree(de);
281  }
282 }
283 
284 /*
285  * ONLY TESTS BELOW THIS COMMENT
286  */
287 #ifdef UNITTESTS
288 #include "detect-engine.h"
289 #include "detect-engine-mpm.h"
290 #include "util-time.h"
291 #include "util-hashlist.h"
292 
293 /**
294  * \test ThresholdTestParse01 is a test for a valid threshold options
295  *
296  * \retval 1 on success
297  * \retval 0 on failure
298  */
299 static int ThresholdTestParse01(void)
300 {
301  DetectThresholdData *de = NULL;
302  de = DetectThresholdParse("type limit,track by_dst,count 10,seconds 60");
303  if (de && (de->type == TYPE_LIMIT) && (de->track == TRACK_DST) && (de->count == 10) && (de->seconds == 60)) {
304  DetectThresholdFree(de);
305  return 1;
306  }
307 
308  return 0;
309 }
310 
311 /**
312  * \test ThresholdTestParse02 is a test for a invalid threshold options
313  *
314  * \retval 1 on success
315  * \retval 0 on failure
316  */
317 static int ThresholdTestParse02(void)
318 {
319  DetectThresholdData *de = NULL;
320  de = DetectThresholdParse("type any,track by_dst,count 10,seconds 60");
321  if (de && (de->type == TYPE_LIMIT) && (de->track == TRACK_DST) && (de->count == 10) && (de->seconds == 60)) {
322  DetectThresholdFree(de);
323  return 0;
324  }
325 
326  return 1;
327 }
328 
329 /**
330  * \test ThresholdTestParse03 is a test for a valid threshold options in any order
331  *
332  * \retval 1 on success
333  * \retval 0 on failure
334  */
335 static int ThresholdTestParse03(void)
336 {
337  DetectThresholdData *de = NULL;
338  de = DetectThresholdParse("track by_dst, type limit, seconds 60, count 10");
339  if (de && (de->type == TYPE_LIMIT) && (de->track == TRACK_DST) && (de->count == 10) && (de->seconds == 60)) {
340  DetectThresholdFree(de);
341  return 1;
342  }
343 
344  return 0;
345 }
346 
347 
348 /**
349  * \test ThresholdTestParse04 is a test for an invalid threshold options in any order
350  *
351  * \retval 1 on success
352  * \retval 0 on failure
353  */
354 static int ThresholdTestParse04(void)
355 {
356  DetectThresholdData *de = NULL;
357  de = DetectThresholdParse("count 10, track by_dst, seconds 60, type both, count 10");
358  if (de && (de->type == TYPE_BOTH) && (de->track == TRACK_DST) && (de->count == 10) && (de->seconds == 60)) {
359  DetectThresholdFree(de);
360  return 0;
361  }
362 
363  return 1;
364 }
365 
366 /**
367  * \test ThresholdTestParse05 is a test for a valid threshold options in any order
368  *
369  * \retval 1 on success
370  * \retval 0 on failure
371  */
372 static int ThresholdTestParse05(void)
373 {
374  DetectThresholdData *de = NULL;
375  de = DetectThresholdParse("count 10, track by_dst, seconds 60, type both");
376  if (de && (de->type == TYPE_BOTH) && (de->track == TRACK_DST) && (de->count == 10) && (de->seconds == 60)) {
377  DetectThresholdFree(de);
378  return 1;
379  }
380 
381  return 0;
382 }
383 
384 /**
385  * \test ThresholdTestParse06 is a test for thresholding by_both
386  *
387  * \retval 1 on success
388  * \retval 0 on failure
389  */
390 static int ThresholdTestParse06(void)
391 {
392  DetectThresholdData *de = NULL;
393  de = DetectThresholdParse("count 10, track by_both, seconds 60, type limit");
394  FAIL_IF_NULL(de);
395  FAIL_IF_NOT(de->type == TYPE_LIMIT);
396  FAIL_IF_NOT(de->track == TRACK_BOTH);
397  FAIL_IF_NOT(de->count == 10);
398  FAIL_IF_NOT(de->seconds == 60);
399  DetectThresholdFree(de);
400  PASS;
401 }
402 
403 /**
404  * \test ThresholdTestParse07 is a test for thresholding by_rule
405  *
406  * \retval 1 on success
407  * \retval 0 on failure
408  */
409 static int ThresholdTestParse07(void)
410 {
411  DetectThresholdData *de = NULL;
412  de = DetectThresholdParse("count 10, track by_rule, seconds 60, type limit");
413  FAIL_IF_NULL(de);
414  FAIL_IF_NOT(de->type == TYPE_LIMIT);
415  FAIL_IF_NOT(de->track == TRACK_RULE);
416  FAIL_IF_NOT(de->count == 10);
417  FAIL_IF_NOT(de->seconds == 60);
418  DetectThresholdFree(de);
419  PASS;
420 }
421 
422 /**
423  * \test DetectThresholdTestSig1 is a test for checking the working of limit keyword
424  * by setting up the signature and later testing its working by matching
425  * the received packet against the sig.
426  *
427  * \retval 1 on success
428  * \retval 0 on failure
429  */
430 
431 static int DetectThresholdTestSig1(void)
432 {
433  Packet *p = NULL;
434  Signature *s = NULL;
435  ThreadVars th_v;
436  DetectEngineThreadCtx *det_ctx;
437  int result = 0;
438  int alerts = 0;
439 
440  HostInitConfig(HOST_QUIET);
441 
442  memset(&th_v, 0, sizeof(th_v));
443 
444  p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
445 
446  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
447  if (de_ctx == NULL) {
448  goto end;
449  }
450 
451  de_ctx->flags |= DE_QUIET;
452 
453  s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold limit\"; content:\"A\"; threshold: type limit, track by_dst, count 5, seconds 60; sid:1;)");
454  if (s == NULL) {
455  goto end;
456  }
457 
458  SigGroupBuild(de_ctx);
459 
460  if (s->flags & SIG_FLAG_IPONLY) {
461  printf("signature is ip-only: ");
462  goto end;
463  }
464 
465  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
466 
467  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
468  alerts = PacketAlertCheck(p, 1);
469  if (alerts != 1) {
470  printf("alerts %"PRIi32", expected 1: ", alerts);
471  }
472  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
473  alerts += PacketAlertCheck(p, 1);
474  if (alerts != 2) {
475  printf("alerts %"PRIi32", expected 2: ", alerts);
476  }
477  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
478  alerts += PacketAlertCheck(p, 1);
479  if (alerts != 3) {
480  printf("alerts %"PRIi32", expected 3: ", alerts);
481  }
482  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
483  alerts += PacketAlertCheck(p, 1);
484  if (alerts != 4) {
485  printf("alerts %"PRIi32", expected 4: ", alerts);
486  }
487  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
488  alerts += PacketAlertCheck(p, 1);
489  if (alerts != 5) {
490  printf("alerts %"PRIi32", expected 5: ", alerts);
491  }
492  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
493  alerts += PacketAlertCheck(p, 1);
494  if (alerts != 5) {
495  printf("alerts %"PRIi32", expected 5: ", alerts);
496  }
497  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
498  alerts += PacketAlertCheck(p, 1);
499  if (alerts != 5) {
500  printf("alerts %"PRIi32", expected 5: ", alerts);
501  }
502  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
503  alerts += PacketAlertCheck(p, 1);
504  if (alerts != 5) {
505  printf("alerts %"PRIi32", expected 5: ", alerts);
506  }
507 
508  if(alerts == 5)
509  result = 1;
510  else
511  printf("alerts %"PRIi32", expected 5: ", alerts);
512 
513  SigGroupCleanup(de_ctx);
514  SigCleanSignatures(de_ctx);
515 
516  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
517  DetectEngineCtxFree(de_ctx);
518 
519  UTHFreePackets(&p, 1);
520 
521  HostShutdown();
522 end:
523  return result;
524 }
525 
526 /**
527  * \test DetectThresholdTestSig2 is a test for checking the working of threshold keyword
528  * by setting up the signature and later testing its working by matching
529  * the received packet against the sig.
530  *
531  * \retval 1 on success
532  * \retval 0 on failure
533  */
534 
535 static int DetectThresholdTestSig2(void)
536 {
537  Packet *p = NULL;
538  Signature *s = NULL;
539  ThreadVars th_v;
540  DetectEngineThreadCtx *det_ctx;
541  int result = 0;
542  int alerts = 0;
543 
544  HostInitConfig(HOST_QUIET);
545 
546  memset(&th_v, 0, sizeof(th_v));
547 
548  p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
549 
550  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
551  if (de_ctx == NULL) {
552  goto end;
553  }
554 
555  de_ctx->flags |= DE_QUIET;
556 
557  s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold\"; threshold: type threshold, track by_dst, count 5, seconds 60; sid:1;)");
558  if (s == NULL) {
559  goto end;
560  }
561 
562  SigGroupBuild(de_ctx);
563  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
564 
565  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
566  alerts = PacketAlertCheck(p, 1);
567  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
568  alerts += PacketAlertCheck(p, 1);
569  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
570  alerts += PacketAlertCheck(p, 1);
571  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
572  alerts += PacketAlertCheck(p, 1);
573  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
574  alerts += PacketAlertCheck(p, 1);
575  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
576  alerts += PacketAlertCheck(p, 1);
577  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
578  alerts += PacketAlertCheck(p, 1);
579  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
580  alerts += PacketAlertCheck(p, 1);
581  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
582  alerts += PacketAlertCheck(p, 1);
583  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
584  alerts += PacketAlertCheck(p, 1);
585 
586  if (alerts == 2)
587  result = 1;
588  else
589  goto cleanup;
590 
591 cleanup:
592  SigGroupCleanup(de_ctx);
593  SigCleanSignatures(de_ctx);
594 
595  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
596  DetectEngineCtxFree(de_ctx);
597 
598 end:
599  UTHFreePackets(&p, 1);
600  HostShutdown();
601  return result;
602 }
603 
604 /**
605  * \test DetectThresholdTestSig3 is a test for checking the working of limit keyword
606  * by setting up the signature and later testing its working by matching
607  * the received packet against the sig.
608  *
609  * \retval 1 on success
610  * \retval 0 on failure
611  */
612 
613 static int DetectThresholdTestSig3(void)
614 {
615  Packet *p = NULL;
616  Signature *s = NULL;
617  ThreadVars th_v;
618  DetectEngineThreadCtx *det_ctx;
619  int result = 0;
620  int alerts = 0;
621  struct timeval ts;
622  DetectThresholdEntry *lookup_tsh = NULL;
623 
624  HostInitConfig(HOST_QUIET);
625 
626  memset (&ts, 0, sizeof(struct timeval));
627  TimeGet(&ts);
628 
629  memset(&th_v, 0, sizeof(th_v));
630 
631  p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
632 
633  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
634  if (de_ctx == NULL) {
635  goto end;
636  }
637 
638  de_ctx->flags |= DE_QUIET;
639 
640  s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold limit\"; threshold: type limit, track by_dst, count 5, seconds 60; sid:10;)");
641  if (s == NULL) {
642  goto end;
643  }
644 
645  SigGroupBuild(de_ctx);
646  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
647 
648  TimeGet(&p->ts);
649 
650  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
651  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
652  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
653 
654  Host *host = HostLookupHostFromHash(&p->dst);
655  if (host == NULL) {
656  printf("host not found: ");
657  goto cleanup;
658  }
659 
660  if (!(ThresholdHostHasThreshold(host))) {
661  HostRelease(host);
662  printf("host has no threshold: ");
663  goto cleanup;
664  }
665  HostRelease(host);
666 
667  TimeSetIncrementTime(200);
668  TimeGet(&p->ts);
669 
670  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
671  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
672  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
673 
674  host = HostLookupHostFromHash(&p->dst);
675  if (host == NULL) {
676  printf("host not found: ");
677  goto cleanup;
678  }
679  HostRelease(host);
680 
681  lookup_tsh = HostGetStorageById(host, ThresholdHostStorageId());
682  if (lookup_tsh == NULL) {
683  HostRelease(host);
684  printf("lookup_tsh is NULL: ");
685  goto cleanup;
686  }
687 
688  alerts = lookup_tsh->current_count;
689 
690  if (alerts == 3)
691  result = 1;
692  else {
693  printf("alerts %u != 3: ", alerts);
694  goto cleanup;
695  }
696 
697 cleanup:
698  SigGroupCleanup(de_ctx);
699  SigCleanSignatures(de_ctx);
700 
701  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
702  DetectEngineCtxFree(de_ctx);
703 end:
704  UTHFreePackets(&p, 1);
705  HostShutdown();
706  return result;
707 }
708 
709 /**
710  * \test DetectThresholdTestSig4 is a test for checking the working of both keyword
711  * by setting up the signature and later testing its working by matching
712  * the received packet against the sig.
713  *
714  * \retval 1 on success
715  * \retval 0 on failure
716  */
717 
718 static int DetectThresholdTestSig4(void)
719 {
720  Packet *p = NULL;
721  Signature *s = NULL;
722  ThreadVars th_v;
723  DetectEngineThreadCtx *det_ctx;
724  int result = 0;
725  int alerts = 0;
726  struct timeval ts;
727 
728  HostInitConfig(HOST_QUIET);
729 
730  memset (&ts, 0, sizeof(struct timeval));
731  TimeGet(&ts);
732 
733  memset(&th_v, 0, sizeof(th_v));
734 
735  p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
736 
737  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
738  if (de_ctx == NULL) {
739  goto end;
740  }
741 
742  de_ctx->flags |= DE_QUIET;
743 
744  s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold both\"; threshold: type both, track by_dst, count 2, seconds 60; sid:10;)");
745  if (s == NULL) {
746  goto end;
747  }
748 
749  SigGroupBuild(de_ctx);
750  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
751 
752  TimeGet(&p->ts);
753  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
754  alerts = PacketAlertCheck(p, 10);
755  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
756  alerts += PacketAlertCheck(p, 10);
757  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
758  alerts += PacketAlertCheck(p, 10);
759 
760  TimeSetIncrementTime(200);
761  TimeGet(&p->ts);
762 
763  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
764  alerts += PacketAlertCheck(p, 10);
765  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
766  alerts += PacketAlertCheck(p, 10);
767  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
768  alerts += PacketAlertCheck(p, 10);
769 
770  if (alerts == 2)
771  result = 1;
772  else
773  goto cleanup;
774 
775 cleanup:
776  SigGroupCleanup(de_ctx);
777  SigCleanSignatures(de_ctx);
778 
779  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
780  DetectEngineCtxFree(de_ctx);
781 end:
782  UTHFreePackets(&p, 1);
783  HostShutdown();
784  return result;
785 }
786 
787 /**
788  * \test DetectThresholdTestSig5 is a test for checking the working of limit keyword
789  * by setting up the signature and later testing its working by matching
790  * the received packet against the sig.
791  *
792  * \retval 1 on success
793  * \retval 0 on failure
794  */
795 
796 static int DetectThresholdTestSig5(void)
797 {
798  Packet *p = NULL;
799  Signature *s = NULL;
800  ThreadVars th_v;
801  DetectEngineThreadCtx *det_ctx;
802  int result = 0;
803  int alerts = 0;
804 
805  HostInitConfig(HOST_QUIET);
806 
807  memset(&th_v, 0, sizeof(th_v));
808  p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
809 
810  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
811  if (de_ctx == NULL) {
812  goto end;
813  }
814 
815  de_ctx->flags |= DE_QUIET;
816 
817  s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold limit sid 1\"; threshold: type limit, track by_dst, count 5, seconds 60; sid:1;)");
818  if (s == NULL) {
819  goto end;
820  }
821 
822  s = s->next = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold limit sid 1000\"; threshold: type limit, track by_dst, count 5, seconds 60; sid:1000;)");
823  if (s == NULL) {
824  goto end;
825  }
826 
827  SigGroupBuild(de_ctx);
828  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
829 
830  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
831  alerts = PacketAlertCheck(p, 1);
832  alerts += PacketAlertCheck(p, 1000);
833  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
834  alerts += PacketAlertCheck(p, 1);
835  alerts += PacketAlertCheck(p, 1000);
836  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
837  alerts += PacketAlertCheck(p, 1);
838  alerts += PacketAlertCheck(p, 1000);
839  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
840  alerts += PacketAlertCheck(p, 1);
841  alerts += PacketAlertCheck(p, 1000);
842  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
843  alerts += PacketAlertCheck(p, 1);
844  alerts += PacketAlertCheck(p, 1000);
845  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
846  alerts += PacketAlertCheck(p, 1);
847  alerts += PacketAlertCheck(p, 1000);
848  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
849  alerts += PacketAlertCheck(p, 1);
850  alerts += PacketAlertCheck(p, 1000);
851  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
852  alerts += PacketAlertCheck(p, 1);
853  alerts += PacketAlertCheck(p, 1000);
854 
855  if(alerts == 10)
856  result = 1;
857  else {
858  printf("alerts %d != 10: ", alerts);
859  goto cleanup;
860  }
861 
862 cleanup:
863  SigGroupCleanup(de_ctx);
864  SigCleanSignatures(de_ctx);
865 
866  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
867  DetectEngineCtxFree(de_ctx);
868 
869 end:
870  UTHFreePackets(&p, 1);
871  HostShutdown();
872  return result;
873 }
874 
875 static int DetectThresholdTestSig6Ticks(void)
876 {
877  Packet *p = NULL;
878  Signature *s = NULL;
879  ThreadVars th_v;
880  DetectEngineThreadCtx *det_ctx;
881  int result = 0;
882  int alerts = 0;
883 
884  HostInitConfig(HOST_QUIET);
885 
886  memset(&th_v, 0, sizeof(th_v));
887  p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
888 
889  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
890  if (de_ctx == NULL) {
891  goto end;
892  }
893 
894  de_ctx->flags |= DE_QUIET;
895 
896  s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold limit sid 1\"; threshold: type limit, track by_dst, count 5, seconds 60; sid:1;)");
897  if (s == NULL) {
898  goto end;
899  }
900 
901  s = s->next = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold limit sid 1000\"; threshold: type limit, track by_dst, count 5, seconds 60; sid:1000;)");
902  if (s == NULL) {
903  goto end;
904  }
905 
906  SigGroupBuild(de_ctx);
907  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
908 
909  uint64_t ticks_start = 0;
910  uint64_t ticks_end = 0;
911 
912  ticks_start = UtilCpuGetTicks();
913  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
914  alerts = PacketAlertCheck(p, 1);
915  alerts += PacketAlertCheck(p, 1000);
916  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
917  alerts += PacketAlertCheck(p, 1);
918  alerts += PacketAlertCheck(p, 1000);
919  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
920  alerts += PacketAlertCheck(p, 1);
921  alerts += PacketAlertCheck(p, 1000);
922  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
923  alerts += PacketAlertCheck(p, 1);
924  alerts += PacketAlertCheck(p, 1000);
925  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
926  alerts += PacketAlertCheck(p, 1);
927  alerts += PacketAlertCheck(p, 1000);
928  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
929  alerts += PacketAlertCheck(p, 1);
930  alerts += PacketAlertCheck(p, 1000);
931  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
932  alerts += PacketAlertCheck(p, 1);
933  alerts += PacketAlertCheck(p, 1000);
934  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
935  alerts += PacketAlertCheck(p, 1);
936  alerts += PacketAlertCheck(p, 1000);
937  ticks_end = UtilCpuGetTicks();
938  printf("test run %"PRIu64"\n", (ticks_end - ticks_start));
939 
940  if(alerts == 10)
941  result = 1;
942  else
943  goto cleanup;
944 
945 cleanup:
946  SigGroupCleanup(de_ctx);
947  SigCleanSignatures(de_ctx);
948 
949  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
950  DetectEngineCtxFree(de_ctx);
951 
952 end:
953  UTHFreePackets(&p, 1);
954  HostShutdown();
955  return result;
956 }
957 
958 /**
959  * \test Test drop action being set even if thresholded
960  */
961 static int DetectThresholdTestSig7(void)
962 {
963  Packet *p = NULL;
964  Signature *s = NULL;
965  ThreadVars th_v;
966  DetectEngineThreadCtx *det_ctx;
967  int result = 0;
968  int alerts = 0;
969  int drops = 0;
970  struct timeval ts;
971 
972  HostInitConfig(HOST_QUIET);
973 
974  memset (&ts, 0, sizeof(struct timeval));
975  TimeGet(&ts);
976 
977  memset(&th_v, 0, sizeof(th_v));
978 
979  p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
980 
981  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
982  if (de_ctx == NULL) {
983  goto end;
984  }
985 
986  de_ctx->flags |= DE_QUIET;
987 
988  s = de_ctx->sig_list = SigInit(de_ctx,"drop tcp any any -> any 80 (threshold: type limit, track by_src, count 1, seconds 300; sid:10;)");
989  if (s == NULL) {
990  goto end;
991  }
992 
993  SigGroupBuild(de_ctx);
994  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
995 
996  TimeGet(&p->ts);
997  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
998  alerts = PacketAlertCheck(p, 10);
999  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
1000  p->action = 0;
1001 
1002  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1003  alerts += PacketAlertCheck(p, 10);
1004  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
1005  p->action = 0;
1006 
1007  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1008  alerts += PacketAlertCheck(p, 10);
1009  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
1010  p->action = 0;
1011 
1012  TimeSetIncrementTime(200);
1013  TimeGet(&p->ts);
1014 
1015  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1016  alerts += PacketAlertCheck(p, 10);
1017  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
1018  p->action = 0;
1019 
1020  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1021  alerts += PacketAlertCheck(p, 10);
1022  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
1023  p->action = 0;
1024 
1025  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1026  alerts += PacketAlertCheck(p, 10);
1027  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
1028  p->action = 0;
1029 
1030  if (alerts == 1 && drops == 6)
1031  result = 1;
1032  else {
1033  if (alerts != 1)
1034  printf("alerts: %d != 1: ", alerts);
1035  if (drops != 6)
1036  printf("drops: %d != 6: ", drops);
1037  goto cleanup;
1038  }
1039 
1040 cleanup:
1041  SigGroupCleanup(de_ctx);
1042  SigCleanSignatures(de_ctx);
1043 
1044  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1045  DetectEngineCtxFree(de_ctx);
1046 end:
1047  UTHFreePackets(&p, 1);
1048  HostShutdown();
1049  return result;
1050 }
1051 
1052 /**
1053  * \test Test drop action being set even if thresholded
1054  */
1055 static int DetectThresholdTestSig8(void)
1056 {
1057  Packet *p = NULL;
1058  Signature *s = NULL;
1059  ThreadVars th_v;
1060  DetectEngineThreadCtx *det_ctx;
1061  int result = 0;
1062  int alerts = 0;
1063  int drops = 0;
1064  struct timeval ts;
1065 
1066  HostInitConfig(HOST_QUIET);
1067 
1068  memset (&ts, 0, sizeof(struct timeval));
1069  TimeGet(&ts);
1070 
1071  memset(&th_v, 0, sizeof(th_v));
1072 
1073  p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
1074 
1075  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1076  if (de_ctx == NULL) {
1077  goto end;
1078  }
1079 
1080  de_ctx->flags |= DE_QUIET;
1081 
1082  s = de_ctx->sig_list = SigInit(de_ctx,"drop tcp any any -> any 80 (threshold: type limit, track by_src, count 2, seconds 300; sid:10;)");
1083  if (s == NULL) {
1084  goto end;
1085  }
1086 
1087  SigGroupBuild(de_ctx);
1088  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1089 
1090  TimeGet(&p->ts);
1091  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1092  alerts = PacketAlertCheck(p, 10);
1093  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
1094  p->action = 0;
1095 
1096  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1097  alerts += PacketAlertCheck(p, 10);
1098  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
1099  p->action = 0;
1100 
1101  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1102  alerts += PacketAlertCheck(p, 10);
1103  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
1104  p->action = 0;
1105 
1106  TimeSetIncrementTime(200);
1107  TimeGet(&p->ts);
1108 
1109  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1110  alerts += PacketAlertCheck(p, 10);
1111  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
1112  p->action = 0;
1113 
1114  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1115  alerts += PacketAlertCheck(p, 10);
1116  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
1117  p->action = 0;
1118 
1119  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1120  alerts += PacketAlertCheck(p, 10);
1121  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
1122  p->action = 0;
1123 
1124  if (alerts == 2 && drops == 6)
1125  result = 1;
1126  else {
1127  if (alerts != 1)
1128  printf("alerts: %d != 1: ", alerts);
1129  if (drops != 6)
1130  printf("drops: %d != 6: ", drops);
1131  goto cleanup;
1132  }
1133 
1134 cleanup:
1135  SigGroupCleanup(de_ctx);
1136  SigCleanSignatures(de_ctx);
1137 
1138  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1139  DetectEngineCtxFree(de_ctx);
1140 end:
1141  UTHFreePackets(&p, 1);
1142  HostShutdown();
1143  return result;
1144 }
1145 
1146 /**
1147  * \test Test drop action being set even if thresholded
1148  */
1149 static int DetectThresholdTestSig9(void)
1150 {
1151  Packet *p = NULL;
1152  Signature *s = NULL;
1153  ThreadVars th_v;
1154  DetectEngineThreadCtx *det_ctx;
1155  int result = 0;
1156  int alerts = 0;
1157  int drops = 0;
1158  struct timeval ts;
1159 
1160  HostInitConfig(HOST_QUIET);
1161 
1162  memset (&ts, 0, sizeof(struct timeval));
1163  TimeGet(&ts);
1164 
1165  memset(&th_v, 0, sizeof(th_v));
1166 
1167  p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
1168 
1169  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1170  if (de_ctx == NULL) {
1171  goto end;
1172  }
1173 
1174  de_ctx->flags |= DE_QUIET;
1175 
1176  s = de_ctx->sig_list = SigInit(de_ctx,"drop tcp any any -> any 80 (threshold: type threshold, track by_src, count 3, seconds 100; sid:10;)");
1177  if (s == NULL) {
1178  goto end;
1179  }
1180 
1181  SigGroupBuild(de_ctx);
1182  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1183 
1184  TimeGet(&p->ts);
1185  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1186  alerts = PacketAlertCheck(p, 10);
1187  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
1188  p->action = 0;
1189 
1190  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1191  alerts += PacketAlertCheck(p, 10);
1192  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
1193  p->action = 0;
1194 
1195  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1196  alerts += PacketAlertCheck(p, 10);
1197  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
1198  p->action = 0;
1199 
1200  TimeSetIncrementTime(200);
1201  TimeGet(&p->ts);
1202 
1203  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1204  alerts += PacketAlertCheck(p, 10);
1205  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
1206  p->action = 0;
1207 
1208  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1209  alerts += PacketAlertCheck(p, 10);
1210  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
1211  p->action = 0;
1212 
1213  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1214  alerts += PacketAlertCheck(p, 10);
1215  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
1216  p->action = 0;
1217 
1218  if (alerts == 2 && drops == 2)
1219  result = 1;
1220  else {
1221  if (alerts != 2)
1222  printf("alerts: %d != 2: ", alerts);
1223  if (drops != 2)
1224  printf("drops: %d != 2: ", drops);
1225  goto cleanup;
1226  }
1227 
1228 cleanup:
1229  SigGroupCleanup(de_ctx);
1230  SigCleanSignatures(de_ctx);
1231 
1232  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1233  DetectEngineCtxFree(de_ctx);
1234 end:
1235  UTHFreePackets(&p, 1);
1236  HostShutdown();
1237  return result;
1238 }
1239 
1240 /**
1241  * \test Test drop action being set even if thresholded
1242  */
1243 static int DetectThresholdTestSig10(void)
1244 {
1245  Packet *p = NULL;
1246  Signature *s = NULL;
1247  ThreadVars th_v;
1248  DetectEngineThreadCtx *det_ctx;
1249  int result = 0;
1250  int alerts = 0;
1251  int drops = 0;
1252  struct timeval ts;
1253 
1254  HostInitConfig(HOST_QUIET);
1255 
1256  memset (&ts, 0, sizeof(struct timeval));
1257  TimeGet(&ts);
1258 
1259  memset(&th_v, 0, sizeof(th_v));
1260 
1261  p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
1262 
1263  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1264  if (de_ctx == NULL) {
1265  goto end;
1266  }
1267 
1268  de_ctx->flags |= DE_QUIET;
1269 
1270  s = de_ctx->sig_list = SigInit(de_ctx,"drop tcp any any -> any 80 (threshold: type threshold, track by_src, count 5, seconds 300; sid:10;)");
1271  if (s == NULL) {
1272  goto end;
1273  }
1274 
1275  SigGroupBuild(de_ctx);
1276  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1277 
1278  TimeGet(&p->ts);
1279  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1280  alerts = PacketAlertCheck(p, 10);
1281  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
1282  p->action = 0;
1283 
1284  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1285  alerts += PacketAlertCheck(p, 10);
1286  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
1287  p->action = 0;
1288 
1289  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1290  alerts += PacketAlertCheck(p, 10);
1291  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
1292  p->action = 0;
1293 
1294  TimeSetIncrementTime(200);
1295  TimeGet(&p->ts);
1296 
1297  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1298  alerts += PacketAlertCheck(p, 10);
1299  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
1300  p->action = 0;
1301 
1302  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1303  alerts += PacketAlertCheck(p, 10);
1304  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
1305  p->action = 0;
1306 
1307  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1308  alerts += PacketAlertCheck(p, 10);
1309  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
1310  p->action = 0;
1311 
1312  if (alerts == 1 && drops == 1)
1313  result = 1;
1314  else {
1315  if (alerts != 1)
1316  printf("alerts: %d != 1: ", alerts);
1317  if (drops != 1)
1318  printf("drops: %d != 1: ", drops);
1319  goto cleanup;
1320  }
1321 
1322 cleanup:
1323  SigGroupCleanup(de_ctx);
1324  SigCleanSignatures(de_ctx);
1325 
1326  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1327  DetectEngineCtxFree(de_ctx);
1328 end:
1329  UTHFreePackets(&p, 1);
1330  HostShutdown();
1331  return result;
1332 }
1333 
1334 /**
1335  * \test Test drop action being set even if thresholded
1336  */
1337 static int DetectThresholdTestSig11(void)
1338 {
1339  Packet *p = NULL;
1340  Signature *s = NULL;
1341  ThreadVars th_v;
1342  DetectEngineThreadCtx *det_ctx;
1343  int result = 0;
1344  int alerts = 0;
1345  int drops = 0;
1346  struct timeval ts;
1347 
1348  HostInitConfig(HOST_QUIET);
1349 
1350  memset (&ts, 0, sizeof(struct timeval));
1351  TimeGet(&ts);
1352 
1353  memset(&th_v, 0, sizeof(th_v));
1354 
1355  p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
1356 
1357  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1358  if (de_ctx == NULL) {
1359  goto end;
1360  }
1361 
1362  de_ctx->flags |= DE_QUIET;
1363 
1364  s = de_ctx->sig_list = SigInit(de_ctx,"drop tcp any any -> any 80 (threshold: type both, track by_src, count 3, seconds 300; sid:10;)");
1365  if (s == NULL) {
1366  goto end;
1367  }
1368 
1369  SigGroupBuild(de_ctx);
1370  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1371 
1372  TimeGet(&p->ts);
1373  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1374  alerts = PacketAlertCheck(p, 10);
1375  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
1376  p->action = 0;
1377 
1378  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1379  alerts += PacketAlertCheck(p, 10);
1380  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
1381  p->action = 0;
1382 
1383  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1384  alerts += PacketAlertCheck(p, 10);
1385  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
1386  p->action = 0;
1387 
1388  TimeSetIncrementTime(200);
1389  TimeGet(&p->ts);
1390 
1391  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1392  alerts += PacketAlertCheck(p, 10);
1393  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
1394  p->action = 0;
1395 
1396  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1397  alerts += PacketAlertCheck(p, 10);
1398  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
1399  p->action = 0;
1400 
1401  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1402  alerts += PacketAlertCheck(p, 10);
1403  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
1404  p->action = 0;
1405 
1406  if (alerts == 1 && drops == 4)
1407  result = 1;
1408  else {
1409  if (alerts != 1)
1410  printf("alerts: %d != 1: ", alerts);
1411  if (drops != 4)
1412  printf("drops: %d != 4: ", drops);
1413  goto cleanup;
1414  }
1415 
1416 cleanup:
1417  SigGroupCleanup(de_ctx);
1418  SigCleanSignatures(de_ctx);
1419 
1420  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1421  DetectEngineCtxFree(de_ctx);
1422 end:
1423  UTHFreePackets(&p, 1);
1424  HostShutdown();
1425  return result;
1426 }
1427 
1428 /**
1429  * \test Test drop action being set even if thresholded
1430  */
1431 static int DetectThresholdTestSig12(void)
1432 {
1433  Packet *p = NULL;
1434  Signature *s = NULL;
1435  ThreadVars th_v;
1436  DetectEngineThreadCtx *det_ctx;
1437  int result = 0;
1438  int alerts = 0;
1439  int drops = 0;
1440  struct timeval ts;
1441 
1442  HostInitConfig(HOST_QUIET);
1443 
1444  memset (&ts, 0, sizeof(struct timeval));
1445  TimeGet(&ts);
1446 
1447  memset(&th_v, 0, sizeof(th_v));
1448 
1449  p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
1450 
1451  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1452  if (de_ctx == NULL) {
1453  goto end;
1454  }
1455 
1456  de_ctx->flags |= DE_QUIET;
1457 
1458  s = de_ctx->sig_list = SigInit(de_ctx,"drop tcp any any -> any 80 (threshold: type both, track by_src, count 5, seconds 300; sid:10;)");
1459  if (s == NULL) {
1460  goto end;
1461  }
1462 
1463  SigGroupBuild(de_ctx);
1464  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1465 
1466  TimeGet(&p->ts);
1467  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1468  alerts = PacketAlertCheck(p, 10);
1469  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
1470  p->action = 0;
1471 
1472  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1473  alerts += PacketAlertCheck(p, 10);
1474  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
1475  p->action = 0;
1476 
1477  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1478  alerts += PacketAlertCheck(p, 10);
1479  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
1480  p->action = 0;
1481 
1482  TimeSetIncrementTime(200);
1483  TimeGet(&p->ts);
1484 
1485  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1486  alerts += PacketAlertCheck(p, 10);
1487  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
1488  p->action = 0;
1489 
1490  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1491  alerts += PacketAlertCheck(p, 10);
1492  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
1493  p->action = 0;
1494 
1495  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1496  alerts += PacketAlertCheck(p, 10);
1497  drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
1498  p->action = 0;
1499 
1500  if (alerts == 1 && drops == 2)
1501  result = 1;
1502  else {
1503  if (alerts != 1)
1504  printf("alerts: %d != 1: ", alerts);
1505  if (drops != 2)
1506  printf("drops: %d != 2: ", drops);
1507  goto cleanup;
1508  }
1509 
1510 cleanup:
1511  SigGroupCleanup(de_ctx);
1512  SigCleanSignatures(de_ctx);
1513 
1514  DetectEngineThreadCtxDeinit(&th_v, (void*)det_ctx);
1515  DetectEngineCtxFree(de_ctx);
1516 end:
1517  UTHFreePackets(&p, 1);
1518  HostShutdown();
1519  return result;
1520 }
1521 
1522 /**
1523  * \test DetectThresholdTestSig13 is a test for checking the working by_rule limits
1524  * by setting up the signature and later testing its working by matching
1525  * received packets against the sig.
1526  *
1527  * \retval 1 on success
1528  * \retval 0 on failure
1529  */
1530 
1531 static int DetectThresholdTestSig13(void)
1532 {
1533  Packet *p = NULL;
1534  Signature *s = NULL;
1535  ThreadVars th_v;
1536  DetectEngineThreadCtx *det_ctx;
1537  int alerts = 0;
1538 
1539  HostInitConfig(HOST_QUIET);
1540 
1541  memset(&th_v, 0, sizeof(th_v));
1542  p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
1543  FAIL_IF_NULL(p);
1544 
1545  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1546  FAIL_IF_NULL(de_ctx);
1547 
1548  de_ctx->flags |= DE_QUIET;
1549 
1550  s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold limit sid 1\"; threshold: type limit, track by_rule, count 2, seconds 60; sid:1;)");
1551  FAIL_IF_NULL(s);
1552 
1553  SigGroupBuild(de_ctx);
1554  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1555  ThresholdHashRealloc(de_ctx);
1556 
1557  /* should alert twice */
1558  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1559  alerts += PacketAlertCheck(p, 1);
1560  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1561  alerts += PacketAlertCheck(p, 1);
1562  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1563  alerts += PacketAlertCheck(p, 1);
1564  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1565  alerts += PacketAlertCheck(p, 1);
1566 
1567  FAIL_IF(alerts != 2);
1568 
1569  TimeSetIncrementTime(70);
1570  TimeGet(&p->ts);
1571 
1572  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1573  alerts += PacketAlertCheck(p, 1);
1574  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1575  alerts += PacketAlertCheck(p, 1);
1576  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1577  alerts += PacketAlertCheck(p, 1);
1578  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1579  alerts += PacketAlertCheck(p, 1);
1580 
1581  FAIL_IF(alerts != 4);
1582 
1583  SigGroupCleanup(de_ctx);
1584  SigCleanSignatures(de_ctx);
1585  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1586  DetectEngineCtxFree(de_ctx);
1587  UTHFreePackets(&p, 1);
1588  HostShutdown();
1589  PASS;
1590 }
1591 
1592 /**
1593  * \test DetectThresholdTestSig14 is a test for checking the working by_both limits
1594  * by setting up the signature and later testing its working by matching
1595  * received packets against the sig.
1596  *
1597  * \retval 1 on success
1598  * \retval 0 on failure
1599  */
1600 
1601 static int DetectThresholdTestSig14(void)
1602 {
1603  Packet *p1 = NULL;
1604  Packet *p2 = NULL;
1605  Signature *s = NULL;
1606  ThreadVars th_v;
1607  DetectEngineThreadCtx *det_ctx;
1608  int alerts1 = 0;
1609  int alerts2 = 0;
1610 
1611  HostInitConfig(HOST_QUIET);
1612  IPPairInitConfig(IPPAIR_QUIET);
1613 
1614  memset(&th_v, 0, sizeof(th_v));
1615  p1 = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
1616  p2 = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "3.3.3.3", 1024, 80);
1617  FAIL_IF_NULL(p1);
1618  FAIL_IF_NULL(p2);
1619 
1620  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1621  FAIL_IF_NULL(de_ctx);
1622 
1623  de_ctx->flags |= DE_QUIET;
1624 
1625  s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold limit sid 1\"; threshold: type limit, track by_both, count 2, seconds 60; sid:1;)");
1626  FAIL_IF_NULL(s);
1627 
1628  SigGroupBuild(de_ctx);
1629  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1630 
1631  /* Both p1 and p2 should alert twice */
1632  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1633  alerts1 += PacketAlertCheck(p1, 1);
1634  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1635  alerts1 += PacketAlertCheck(p1, 1);
1636  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1637  alerts1 += PacketAlertCheck(p1, 1);
1638  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1639  alerts1 += PacketAlertCheck(p1, 1);
1640 
1641  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1642  alerts2 += PacketAlertCheck(p2, 1);
1643  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1644  alerts2 += PacketAlertCheck(p2, 1);
1645  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1646  alerts2 += PacketAlertCheck(p2, 1);
1647  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1648  alerts2 += PacketAlertCheck(p2, 1);
1649 
1650  FAIL_IF(alerts1 != 2);
1651  FAIL_IF(alerts2 != 2);
1652 
1653  TimeSetIncrementTime(70);
1654  TimeGet(&p1->ts);
1655  TimeGet(&p2->ts);
1656 
1657  /* Now they should both alert again after previous alerts expire */
1658  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1659  alerts1 += PacketAlertCheck(p1, 1);
1660  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1661  alerts2 += PacketAlertCheck(p2, 1);
1662 
1663  FAIL_IF(alerts1 != 3);
1664  FAIL_IF(alerts2 != 3);
1665 
1666  SigGroupCleanup(de_ctx);
1667  SigCleanSignatures(de_ctx);
1668  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1669  DetectEngineCtxFree(de_ctx);
1670  UTHFreePackets(&p1, 1);
1671  UTHFreePackets(&p2, 1);
1672  HostShutdown();
1673  PASS;
1674 }
1675 
1676 #endif /* UNITTESTS */
1677 
1678 void ThresholdRegisterTests(void)
1679 {
1680 #ifdef UNITTESTS
1681  UtRegisterTest("ThresholdTestParse01", ThresholdTestParse01);
1682  UtRegisterTest("ThresholdTestParse02", ThresholdTestParse02);
1683  UtRegisterTest("ThresholdTestParse03", ThresholdTestParse03);
1684  UtRegisterTest("ThresholdTestParse04", ThresholdTestParse04);
1685  UtRegisterTest("ThresholdTestParse05", ThresholdTestParse05);
1686  UtRegisterTest("ThresholdTestParse06", ThresholdTestParse06);
1687  UtRegisterTest("ThresholdTestParse07", ThresholdTestParse07);
1688  UtRegisterTest("DetectThresholdTestSig1", DetectThresholdTestSig1);
1689  UtRegisterTest("DetectThresholdTestSig2", DetectThresholdTestSig2);
1690  UtRegisterTest("DetectThresholdTestSig3", DetectThresholdTestSig3);
1691  UtRegisterTest("DetectThresholdTestSig4", DetectThresholdTestSig4);
1692  UtRegisterTest("DetectThresholdTestSig5", DetectThresholdTestSig5);
1693  UtRegisterTest("DetectThresholdTestSig6Ticks",
1694  DetectThresholdTestSig6Ticks);
1695  UtRegisterTest("DetectThresholdTestSig7", DetectThresholdTestSig7);
1696  UtRegisterTest("DetectThresholdTestSig8", DetectThresholdTestSig8);
1697  UtRegisterTest("DetectThresholdTestSig9", DetectThresholdTestSig9);
1698  UtRegisterTest("DetectThresholdTestSig10", DetectThresholdTestSig10);
1699  UtRegisterTest("DetectThresholdTestSig11", DetectThresholdTestSig11);
1700  UtRegisterTest("DetectThresholdTestSig12", DetectThresholdTestSig12);
1701  UtRegisterTest("DetectThresholdTestSig13", DetectThresholdTestSig13);
1702  UtRegisterTest("DetectThresholdTestSig14", DetectThresholdTestSig14);
1703 #endif /* UNITTESTS */
1704 }
1705 
1706 /**
1707  * @}
1708  */
TRACK_BOTH
#define TRACK_BOTH
Definition: detect-threshold.h:42
util-byte.h
host.h
SigTableElmt_::url
const char * url
Definition: detect.h:1204
ts
uint64_t ts
Definition: source-erf-file.c:2
detect-engine.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
SCStrdup
#define SCStrdup(a)
Definition: util-mem.h:268
host-storage.h
SigTableElmt_::desc
const char * desc
Definition: detect.h:1203
util-hashlist.h
SigTableElmt_::name
const char * name
Definition: detect.h:1201
stream-tcp.h
MAX_SUBSTRINGS
#define MAX_SUBSTRINGS
SCFree
#define SCFree(a)
Definition: util-mem.h:322
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
ThresholdHostStorageId
int ThresholdHostStorageId(void)
Definition: detect-engine-threshold.c:75
DetectAddressHeadCleanup
void DetectAddressHeadCleanup(DetectAddressHead *gh)
Cleans a DetectAddressHead. The functions frees the address group heads(ipv4 and ipv6) inside the Det...
Definition: detect-engine-address.c:1480
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:138
Packet_::action
uint8_t action
Definition: decode.h:545
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2023
DETECT_SM_LIST_THRESHOLD
@ DETECT_SM_LIST_THRESHOLD
Definition: detect.h:104
HostInitConfig
void HostInitConfig(char quiet)
initialize the configuration
Definition: host.c:175
HostRelease
void HostRelease(Host *h)
Definition: host.c:482
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1195
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:761
TYPE_LIMIT
#define TYPE_LIMIT
Definition: detect-threshold.h:31
SC_ERR_INVALID_SIGNATURE
@ SC_ERR_INVALID_SIGNATURE
Definition: util-error.h:69
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2030
TRACK_DST
#define TRACK_DST
Definition: detect-detection-filter.c:43
DE_QUIET
#define DE_QUIET
Definition: detect.h:292
DetectThresholdEntry_
Definition: detect-threshold.h:68
SigTableElmt_::Free
void(* Free)(void *)
Definition: detect.h:1192
SC_ERR_PCRE_GET_SUBSTRING
@ SC_ERR_PCRE_GET_SUBSTRING
Definition: util-error.h:34
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:39
UTHBuildPacketReal
Packet * UTHBuildPacketReal(uint8_t *payload, uint16_t payload_len, uint8_t ipproto, const char *src, const char *dst, uint16_t sport, uint16_t dport)
UTHBuildPacketReal is a function that create tcp/udp packets for unittests specifying ip and port sou...
Definition: util-unittest-helper.c:167
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1187
ThresholdHostHasThreshold
int ThresholdHostHasThreshold(Host *host)
Definition: detect-engine-threshold.c:94
util-unittest.h
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression to true.
Definition: util-unittest.h:82
UtilCpuGetTicks
uint64_t UtilCpuGetTicks(void)
Definition: util-cpu.c:183
HostGetStorageById
void * HostGetStorageById(Host *h, int id)
Get a value from a given Host storage.
Definition: host-storage.c:84
Signature_::next
struct Signature_ * next
Definition: detect.h:594
TRACK_RULE
#define TRACK_RULE
Definition: detect-threshold.h:40
decode.h
util-debug.h
SC_ERR_PCRE_MATCH
@ SC_ERR_PCRE_MATCH
Definition: util-error.h:32
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:16
DetectEngineThreadCtx_
Definition: detect.h:1004
util-cpu.h
DETECT_THRESHOLD
@ DETECT_THRESHOLD
Definition: detect-engine-register.h:54
res
PoolThreadReserved res
Definition: stream-tcp-private.h:60
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2440
PARSE_REGEX
#define PARSE_REGEX
Definition: detect-threshold.c:62
detect-engine-mpm.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
de
int de
Definition: app-layer-htp.c:565
util-time.h
IPPairInitConfig
void IPPairInitConfig(char quiet)
initialize the configuration
Definition: ippair.c:170
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:321
SCMalloc
#define SCMalloc(a)
Definition: util-mem.h:222
TYPE_BOTH
#define TYPE_BOTH
Definition: detect-threshold.h:32
SigMatchSignatures
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1665
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:1947
Signature_::flags
uint32_t flags
Definition: detect.h:523
TimeSetIncrementTime
void TimeSetIncrementTime(uint32_t tv_sec)
increment the time in the engine
Definition: util-time.c:182
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options, int *ovector, int ovector_size)
Definition: detect-parse.c:2372
Packet_
Definition: decode.h:408
SIG_FLAG_IPONLY
#define SIG_FLAG_IPONLY
Definition: detect.h:219
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1171
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:235
decode-events.h
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1876
SigMatch_::type
uint8_t type
Definition: detect.h:319
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:313
IPPAIR_QUIET
#define IPPAIR_QUIET
Definition: ippair.h:90
StringParseUint32
int StringParseUint32(uint32_t *res, int base, uint16_t len, const char *str)
Definition: util-byte.c:304
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:2726
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71
Packet_::ts
struct timeval ts
Definition: decode.h:452
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:2934
DetectThresholdData_
Definition: detect-threshold.h:57
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
DetectParseRegex_
Definition: detect-parse.h:42
ACTION_DROP
#define ACTION_DROP
Definition: action-globals.h:30
HOST_QUIET
#define HOST_QUIET
Definition: host.h:93
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:294
HostShutdown
void HostShutdown(void)
shutdown the flow engine
Definition: host.c:307
DOC_URL
#define DOC_URL
Definition: suricata.h:86
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:767
TYPE_THRESHOLD
#define TYPE_THRESHOLD
Definition: detect-threshold.h:33
DETECT_DETECTION_FILTER
@ DETECT_DETECTION_FILTER
Definition: detect-engine-register.h:96
detect-parse.h
Signature_
Signature container.
Definition: detect.h:522
SigMatch_
a single match condition for a signature
Definition: detect.h:318
detect-threshold.h
DetectThresholdRegister
void DetectThresholdRegister(void)
Registration function for threshold: keyword.
Definition: detect-threshold.c:75
TimeGet
void TimeGet(struct timeval *tv)
Definition: util-time.c:153
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:1985
HostLookupHostFromHash
Host * HostLookupHostFromHash(Address *a)
look up a host in the hash
Definition: host.c:606
suricata.h
Packet_::dst
Address dst
Definition: decode.h:414
TRACK_SRC
#define TRACK_SRC
Definition: detect-detection-filter.c:44
ThresholdHashRealloc
void ThresholdHashRealloc(DetectEngineCtx *de_ctx)
Realloc threshold context hash tables.
Definition: detect-engine-threshold.c:666
DetectGetLastSMFromLists
SigMatch * DetectGetLastSMFromLists(const Signature *s,...)
Returns the sm with the largest index (added latest) from the lists passed to us.
Definition: detect-parse.c:468
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:762
ThresholdRegisterTests
void ThresholdRegisterTests(void)
Definition: detect-threshold.c:1678
Host_
Definition: host.h:58
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:341
flow-var.h
SIGMATCH_IPONLY_COMPAT
#define SIGMATCH_IPONLY_COMPAT
Definition: detect.h:1372
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:349
detect-engine-address.h
DOC_VERSION
#define DOC_VERSION
Definition: suricata.h:91
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1193
detect-engine-threshold.h
PACKET_TEST_ACTION
#define PACKET_TEST_ACTION(p, a)
Definition: decode.h:847
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:393