suricata
detect-threshold.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2021 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \ingroup threshold
20  * @{
21  */
22 
23 /**
24  * \file
25  *
26  * \author Breno Silva <breno.silva@gmail.com>
27  * \author Victor Julien <victor@inliniac.net>
28  *
29  * Implements the threshold keyword.
30  *
31  * The feature depends on what is provided
32  * by detect-engine-threshold.c and util-threshold-config.c
33  */
34 
35 #include "suricata-common.h"
36 #include "suricata.h"
37 #include "decode.h"
38 
39 #include "host.h"
40 #include "host-storage.h"
41 
42 #include "detect.h"
43 #include "detect-parse.h"
44 
45 #include "flow-var.h"
46 #include "decode-events.h"
47 #include "stream-tcp.h"
48 
49 #include "detect-threshold.h"
51 #include "detect-engine-address.h"
52 
53 #include "util-unittest.h"
54 #include "util-unittest-helper.h"
55 #include "util-byte.h"
56 #include "util-debug.h"
57 
58 #ifdef UNITTESTS
59 #include "util-cpu.h"
60 #endif
61 
62 #define PARSE_REGEX "^\\s*(track|type|count|seconds)\\s+(limit|both|threshold|by_dst|by_src|by_both|by_rule|\\d+)\\s*,\\s*(track|type|count|seconds)\\s+(limit|both|threshold|by_dst|by_src|by_both|by_rule|\\d+)\\s*,\\s*(track|type|count|seconds)\\s+(limit|both|threshold|by_dst|by_src|by_both|by_rule|\\d+)\\s*,\\s*(track|type|count|seconds)\\s+(limit|both|threshold|by_dst|by_src|by_both|by_rule|\\d+)\\s*"
63 
64 static DetectParseRegex parse_regex;
65 
66 static int DetectThresholdMatch(DetectEngineThreadCtx *, Packet *,
67  const Signature *, const SigMatchCtx *);
68 static int DetectThresholdSetup(DetectEngineCtx *, Signature *, const char *);
69 static void DetectThresholdFree(DetectEngineCtx *, void *);
70 #ifdef UNITTESTS
71 static void ThresholdRegisterTests(void);
72 #endif
73 
74 /**
75  * \brief Registration function for threshold: keyword
76  */
77 
79 {
80  sigmatch_table[DETECT_THRESHOLD].name = "threshold";
81  sigmatch_table[DETECT_THRESHOLD].desc = "control the rule's alert frequency";
82  sigmatch_table[DETECT_THRESHOLD].url = "/rules/thresholding.html#threshold";
83  sigmatch_table[DETECT_THRESHOLD].Match = DetectThresholdMatch;
84  sigmatch_table[DETECT_THRESHOLD].Setup = DetectThresholdSetup;
85  sigmatch_table[DETECT_THRESHOLD].Free = DetectThresholdFree;
86 #ifdef UNITTESTS
87  sigmatch_table[DETECT_THRESHOLD].RegisterTests = ThresholdRegisterTests;
88 #endif
89  /* this is compatible to ip-only signatures */
91 
92  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex);
93 }
94 
95 static int DetectThresholdMatch(DetectEngineThreadCtx *det_ctx, Packet *p,
96  const Signature *s, const SigMatchCtx *ctx)
97 {
98  return 1;
99 }
100 
101 /**
102  * \internal
103  * \brief This function is used to parse threshold options passed via threshold: keyword
104  *
105  * \param rawstr Pointer to the user provided threshold options
106  *
107  * \retval de pointer to DetectThresholdData on success
108  * \retval NULL on failure
109  */
110 static DetectThresholdData *DetectThresholdParse(const char *rawstr)
111 {
112  DetectThresholdData *de = NULL;
113  int ret = 0, res = 0;
114  int ov[MAX_SUBSTRINGS];
115  const char *str_ptr = NULL;
116  char *args[9] = { NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL };
117  char *copy_str = NULL, *threshold_opt = NULL;
118  int second_found = 0, count_found = 0;
119  int type_found = 0, track_found = 0;
120  int second_pos = 0, count_pos = 0;
121  uint16_t pos = 0;
122  int i = 0;
123 
124  copy_str = SCStrdup(rawstr);
125  if (unlikely(copy_str == NULL)) {
126  goto error;
127  }
128 
129  char *saveptr = NULL;
130  for (pos = 0, threshold_opt = strtok_r(copy_str,",", &saveptr);
131  pos < strlen(copy_str) && threshold_opt != NULL;
132  pos++, threshold_opt = strtok_r(NULL,"," , &saveptr))
133  {
134  if(strstr(threshold_opt,"count"))
135  count_found++;
136  if(strstr(threshold_opt,"second"))
137  second_found++;
138  if(strstr(threshold_opt,"type"))
139  type_found++;
140  if(strstr(threshold_opt,"track"))
141  track_found++;
142  }
143  SCFree(copy_str);
144  copy_str = NULL;
145 
146  if(count_found != 1 || second_found != 1 || type_found != 1 || track_found != 1)
147  goto error;
148 
149  ret = DetectParsePcreExec(&parse_regex, rawstr, 0, 0, ov, MAX_SUBSTRINGS);
150  if (ret < 5) {
151  SCLogError(SC_ERR_PCRE_MATCH, "pcre_exec parse error, ret %" PRId32 ", string %s", ret, rawstr);
152  goto error;
153  }
154 
155  de = SCMalloc(sizeof(DetectThresholdData));
156  if (unlikely(de == NULL))
157  goto error;
158 
159  memset(de,0,sizeof(DetectThresholdData));
160 
161  for (i = 0; i < (ret - 1); i++) {
162 
163  res = pcre_get_substring((char *)rawstr, ov, MAX_SUBSTRINGS,i + 1, &str_ptr);
164 
165  if (res < 0) {
166  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
167  goto error;
168  }
169 
170  args[i] = (char *)str_ptr;
171 
172  if (strncasecmp(args[i],"limit",strlen("limit")) == 0)
173  de->type = TYPE_LIMIT;
174  if (strncasecmp(args[i],"both",strlen("both")) == 0)
175  de->type = TYPE_BOTH;
176  if (strncasecmp(args[i],"threshold",strlen("threshold")) == 0)
177  de->type = TYPE_THRESHOLD;
178  if (strncasecmp(args[i],"by_dst",strlen("by_dst")) == 0)
179  de->track = TRACK_DST;
180  if (strncasecmp(args[i],"by_src",strlen("by_src")) == 0)
181  de->track = TRACK_SRC;
182  if (strncasecmp(args[i],"by_both",strlen("by_both")) == 0)
183  de->track = TRACK_BOTH;
184  if (strncasecmp(args[i],"by_rule",strlen("by_rule")) == 0)
185  de->track = TRACK_RULE;
186  if (strncasecmp(args[i],"count",strlen("count")) == 0)
187  count_pos = i+1;
188  if (strncasecmp(args[i],"seconds",strlen("seconds")) == 0)
189  second_pos = i+1;
190  }
191 
192  if (args[count_pos] == NULL || args[second_pos] == NULL) {
193  goto error;
194  }
195 
196  if (StringParseUint32(&de->count, 10, strlen(args[count_pos]),
197  args[count_pos]) <= 0) {
198  goto error;
199  }
200 
201  if (StringParseUint32(&de->seconds, 10, strlen(args[second_pos]),
202  args[second_pos]) <= 0) {
203  goto error;
204  }
205 
206  for (i = 0; i < (ret - 1); i++){
207  if (args[i] != NULL) SCFree(args[i]);
208  }
209  return de;
210 
211 error:
212  for (i = 0; i < (ret - 1); i++){
213  if (args[i] != NULL) SCFree(args[i]);
214  }
215  if (de != NULL)
216  SCFree(de);
217  return NULL;
218 }
219 
220 /**
221  * \internal
222  * \brief this function is used to add the parsed threshold into the current signature
223  *
224  * \param de_ctx pointer to the Detection Engine Context
225  * \param s pointer to the Current Signature
226  * \param rawstr pointer to the user provided threshold options
227  *
228  * \retval 0 on Success
229  * \retval -1 on Failure
230  */
231 static int DetectThresholdSetup(DetectEngineCtx *de_ctx, Signature *s, const char *rawstr)
232 {
233  DetectThresholdData *de = NULL;
234  SigMatch *sm = NULL;
235  SigMatch *tmpm = NULL;
236 
237  /* checks if there is a previous instance of detection_filter */
239  if (tmpm != NULL) {
240  if (tmpm->type == DETECT_DETECTION_FILTER) {
241  SCLogError(SC_ERR_INVALID_SIGNATURE, "\"detection_filter\" and "
242  "\"threshold\" are not allowed in the same rule");
243  } else {
244  SCLogError(SC_ERR_INVALID_SIGNATURE, "multiple \"threshold\" "
245  "options are not allowed in the same rule");
246  }
247  SCReturnInt(-1);
248  }
249 
250  de = DetectThresholdParse(rawstr);
251  if (de == NULL)
252  goto error;
253 
254  sm = SigMatchAlloc();
255  if (sm == NULL)
256  goto error;
257 
258  sm->type = DETECT_THRESHOLD;
259  sm->ctx = (SigMatchCtx *)de;
260 
262 
263  return 0;
264 
265 error:
266  if (de) SCFree(de);
267  if (sm) SCFree(sm);
268  return -1;
269 }
270 
271 /**
272  * \internal
273  * \brief this function will free memory associated with DetectThresholdData
274  *
275  * \param de pointer to DetectThresholdData
276  */
277 static void DetectThresholdFree(DetectEngineCtx *de_ctx, void *de_ptr)
278 {
280  if (de) {
281  DetectAddressHeadCleanup(&de->addrs);
282  SCFree(de);
283  }
284 }
285 
286 /**
287  * \brief Make a deep-copy of an extant DetectTHresholdData object.
288  *
289  * \param de pointer to DetectThresholdData
290  */
292 {
293  DetectThresholdData *new_de = SCCalloc(1, sizeof(DetectThresholdData));
294  if (unlikely(new_de == NULL))
295  return NULL;
296 
297  *new_de = *de;
298  new_de->addrs.ipv4_head = NULL;
299  new_de->addrs.ipv6_head = NULL;
300 
301  for (DetectAddress *last = NULL, *tmp_ad = de->addrs.ipv4_head; tmp_ad; tmp_ad = tmp_ad->next) {
302  DetectAddress *n_addr = DetectAddressCopy(tmp_ad);
303  if (n_addr == NULL)
304  goto error;
305  if (last == NULL) {
306  new_de->addrs.ipv4_head = n_addr;
307  } else {
308  last->next = n_addr;
309  n_addr->prev = last;
310  }
311  last = n_addr;
312  }
313  for (DetectAddress *last = NULL, *tmp_ad = de->addrs.ipv6_head; tmp_ad; tmp_ad = tmp_ad->next) {
314  DetectAddress *n_addr = DetectAddressCopy(tmp_ad);
315  if (n_addr == NULL)
316  goto error;
317  if (last == NULL) {
318  new_de->addrs.ipv6_head = n_addr;
319  } else {
320  last->next = n_addr;
321  n_addr->prev = last;
322  }
323  last = n_addr;
324  }
325 
326  return new_de;
327 
328 error:
329  DetectThresholdFree(NULL, new_de);
330  return NULL;
331 }
332 
333 /*
334  * ONLY TESTS BELOW THIS COMMENT
335  */
336 #ifdef UNITTESTS
337 #include "detect-engine.h"
338 #include "detect-engine-mpm.h"
339 #include "util-time.h"
340 #include "util-hashlist.h"
341 
342 /**
343  * \test ThresholdTestParse01 is a test for a valid threshold options
344  *
345  * \retval 1 on success
346  * \retval 0 on failure
347  */
348 static int ThresholdTestParse01(void)
349 {
350  DetectThresholdData *de = NULL;
351  de = DetectThresholdParse("type limit,track by_dst,count 10,seconds 60");
352  if (de && (de->type == TYPE_LIMIT) && (de->track == TRACK_DST) && (de->count == 10) && (de->seconds == 60)) {
353  DetectThresholdFree(NULL, de);
354  return 1;
355  }
356 
357  return 0;
358 }
359 
360 /**
361  * \test ThresholdTestParse02 is a test for a invalid threshold options
362  *
363  * \retval 1 on success
364  * \retval 0 on failure
365  */
366 static int ThresholdTestParse02(void)
367 {
368  DetectThresholdData *de = NULL;
369  de = DetectThresholdParse("type any,track by_dst,count 10,seconds 60");
370  if (de && (de->type == TYPE_LIMIT) && (de->track == TRACK_DST) && (de->count == 10) && (de->seconds == 60)) {
371  DetectThresholdFree(NULL, de);
372  return 0;
373  }
374 
375  return 1;
376 }
377 
378 /**
379  * \test ThresholdTestParse03 is a test for a valid threshold options in any order
380  *
381  * \retval 1 on success
382  * \retval 0 on failure
383  */
384 static int ThresholdTestParse03(void)
385 {
386  DetectThresholdData *de = NULL;
387  de = DetectThresholdParse("track by_dst, type limit, seconds 60, count 10");
388  if (de && (de->type == TYPE_LIMIT) && (de->track == TRACK_DST) && (de->count == 10) && (de->seconds == 60)) {
389  DetectThresholdFree(NULL, de);
390  return 1;
391  }
392 
393  return 0;
394 }
395 
396 
397 /**
398  * \test ThresholdTestParse04 is a test for an invalid threshold options in any order
399  *
400  * \retval 1 on success
401  * \retval 0 on failure
402  */
403 static int ThresholdTestParse04(void)
404 {
405  DetectThresholdData *de = NULL;
406  de = DetectThresholdParse("count 10, track by_dst, seconds 60, type both, count 10");
407  if (de && (de->type == TYPE_BOTH) && (de->track == TRACK_DST) && (de->count == 10) && (de->seconds == 60)) {
408  DetectThresholdFree(NULL, de);
409  return 0;
410  }
411 
412  return 1;
413 }
414 
415 /**
416  * \test ThresholdTestParse05 is a test for a valid threshold options in any order
417  *
418  * \retval 1 on success
419  * \retval 0 on failure
420  */
421 static int ThresholdTestParse05(void)
422 {
423  DetectThresholdData *de = NULL;
424  de = DetectThresholdParse("count 10, track by_dst, seconds 60, type both");
425  if (de && (de->type == TYPE_BOTH) && (de->track == TRACK_DST) && (de->count == 10) && (de->seconds == 60)) {
426  DetectThresholdFree(NULL, de);
427  return 1;
428  }
429 
430  return 0;
431 }
432 
433 /**
434  * \test ThresholdTestParse06 is a test for thresholding by_both
435  *
436  * \retval 1 on success
437  * \retval 0 on failure
438  */
439 static int ThresholdTestParse06(void)
440 {
441  DetectThresholdData *de = NULL;
442  de = DetectThresholdParse("count 10, track by_both, seconds 60, type limit");
443  FAIL_IF_NULL(de);
444  FAIL_IF_NOT(de->type == TYPE_LIMIT);
445  FAIL_IF_NOT(de->track == TRACK_BOTH);
446  FAIL_IF_NOT(de->count == 10);
447  FAIL_IF_NOT(de->seconds == 60);
448  DetectThresholdFree(NULL, de);
449  PASS;
450 }
451 
452 /**
453  * \test ThresholdTestParse07 is a test for thresholding by_rule
454  *
455  * \retval 1 on success
456  * \retval 0 on failure
457  */
458 static int ThresholdTestParse07(void)
459 {
460  DetectThresholdData *de = NULL;
461  de = DetectThresholdParse("count 10, track by_rule, seconds 60, type limit");
462  FAIL_IF_NULL(de);
463  FAIL_IF_NOT(de->type == TYPE_LIMIT);
464  FAIL_IF_NOT(de->track == TRACK_RULE);
465  FAIL_IF_NOT(de->count == 10);
466  FAIL_IF_NOT(de->seconds == 60);
467  DetectThresholdFree(NULL, de);
468  PASS;
469 }
470 
471 /**
472  * \test DetectThresholdTestSig1 is a test for checking the working of limit keyword
473  * by setting up the signature and later testing its working by matching
474  * the received packet against the sig.
475  *
476  * \retval 1 on success
477  * \retval 0 on failure
478  */
479 
480 static int DetectThresholdTestSig1(void)
481 {
482  Packet *p = NULL;
483  Signature *s = NULL;
484  ThreadVars th_v;
485  DetectEngineThreadCtx *det_ctx;
486  int result = 0;
487  int alerts = 0;
488 
490 
491  memset(&th_v, 0, sizeof(th_v));
492 
493  p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
494 
496  if (de_ctx == NULL) {
497  goto end;
498  }
499 
500  de_ctx->flags |= DE_QUIET;
501 
502  s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold limit\"; content:\"A\"; threshold: type limit, track by_dst, count 5, seconds 60; sid:1;)");
503  if (s == NULL) {
504  goto end;
505  }
506 
508 
509  if (s->flags & SIG_FLAG_IPONLY) {
510  printf("signature is ip-only: ");
511  goto end;
512  }
513 
514  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
515 
516  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
517  alerts = PacketAlertCheck(p, 1);
518  if (alerts != 1) {
519  printf("alerts %"PRIi32", expected 1: ", alerts);
520  }
521  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
522  alerts += PacketAlertCheck(p, 1);
523  if (alerts != 2) {
524  printf("alerts %"PRIi32", expected 2: ", alerts);
525  }
526  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
527  alerts += PacketAlertCheck(p, 1);
528  if (alerts != 3) {
529  printf("alerts %"PRIi32", expected 3: ", alerts);
530  }
531  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
532  alerts += PacketAlertCheck(p, 1);
533  if (alerts != 4) {
534  printf("alerts %"PRIi32", expected 4: ", alerts);
535  }
536  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
537  alerts += PacketAlertCheck(p, 1);
538  if (alerts != 5) {
539  printf("alerts %"PRIi32", expected 5: ", alerts);
540  }
541  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
542  alerts += PacketAlertCheck(p, 1);
543  if (alerts != 5) {
544  printf("alerts %"PRIi32", expected 5: ", alerts);
545  }
546  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
547  alerts += PacketAlertCheck(p, 1);
548  if (alerts != 5) {
549  printf("alerts %"PRIi32", expected 5: ", alerts);
550  }
551  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
552  alerts += PacketAlertCheck(p, 1);
553  if (alerts != 5) {
554  printf("alerts %"PRIi32", expected 5: ", alerts);
555  }
556 
557  if(alerts == 5)
558  result = 1;
559  else
560  printf("alerts %"PRIi32", expected 5: ", alerts);
561 
564 
565  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
567 
568  UTHFreePackets(&p, 1);
569 
570  HostShutdown();
571 end:
572  return result;
573 }
574 
575 /**
576  * \test DetectThresholdTestSig2 is a test for checking the working of threshold keyword
577  * by setting up the signature and later testing its working by matching
578  * the received packet against the sig.
579  *
580  * \retval 1 on success
581  * \retval 0 on failure
582  */
583 
584 static int DetectThresholdTestSig2(void)
585 {
586  Packet *p = NULL;
587  Signature *s = NULL;
588  ThreadVars th_v;
589  DetectEngineThreadCtx *det_ctx;
590  int result = 0;
591  int alerts = 0;
592 
594 
595  memset(&th_v, 0, sizeof(th_v));
596 
597  p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
598 
600  if (de_ctx == NULL) {
601  goto end;
602  }
603 
604  de_ctx->flags |= DE_QUIET;
605 
606  s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold\"; threshold: type threshold, track by_dst, count 5, seconds 60; sid:1;)");
607  if (s == NULL) {
608  goto end;
609  }
610 
612  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
613 
614  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
615  alerts = PacketAlertCheck(p, 1);
616  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
617  alerts += PacketAlertCheck(p, 1);
618  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
619  alerts += PacketAlertCheck(p, 1);
620  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
621  alerts += PacketAlertCheck(p, 1);
622  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
623  alerts += PacketAlertCheck(p, 1);
624  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
625  alerts += PacketAlertCheck(p, 1);
626  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
627  alerts += PacketAlertCheck(p, 1);
628  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
629  alerts += PacketAlertCheck(p, 1);
630  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
631  alerts += PacketAlertCheck(p, 1);
632  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
633  alerts += PacketAlertCheck(p, 1);
634 
635  if (alerts == 2)
636  result = 1;
637  else
638  goto cleanup;
639 
640 cleanup:
643 
644  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
646 
647 end:
648  UTHFreePackets(&p, 1);
649  HostShutdown();
650  return result;
651 }
652 
653 /**
654  * \test DetectThresholdTestSig3 is a test for checking the working of limit keyword
655  * by setting up the signature and later testing its working by matching
656  * the received packet against the sig.
657  *
658  * \retval 1 on success
659  * \retval 0 on failure
660  */
661 
662 static int DetectThresholdTestSig3(void)
663 {
664  Packet *p = NULL;
665  Signature *s = NULL;
666  ThreadVars th_v;
667  DetectEngineThreadCtx *det_ctx;
668  int result = 0;
669  int alerts = 0;
670  struct timeval ts;
671  DetectThresholdEntry *lookup_tsh = NULL;
672 
674 
675  memset (&ts, 0, sizeof(struct timeval));
676  TimeGet(&ts);
677 
678  memset(&th_v, 0, sizeof(th_v));
679 
680  p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
681 
683  if (de_ctx == NULL) {
684  goto end;
685  }
686 
687  de_ctx->flags |= DE_QUIET;
688 
689  s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold limit\"; threshold: type limit, track by_dst, count 5, seconds 60; sid:10;)");
690  if (s == NULL) {
691  goto end;
692  }
693 
695  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
696 
697  TimeGet(&p->ts);
698 
699  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
700  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
701  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
702 
703  Host *host = HostLookupHostFromHash(&p->dst);
704  if (host == NULL) {
705  printf("host not found: ");
706  goto cleanup;
707  }
708 
709  if (!(ThresholdHostHasThreshold(host))) {
710  HostRelease(host);
711  printf("host has no threshold: ");
712  goto cleanup;
713  }
714  HostRelease(host);
715 
717  TimeGet(&p->ts);
718 
719  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
720  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
721  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
722 
723  host = HostLookupHostFromHash(&p->dst);
724  if (host == NULL) {
725  printf("host not found: ");
726  goto cleanup;
727  }
728  HostRelease(host);
729 
730  lookup_tsh = HostGetStorageById(host, ThresholdHostStorageId());
731  if (lookup_tsh == NULL) {
732  HostRelease(host);
733  printf("lookup_tsh is NULL: ");
734  goto cleanup;
735  }
736 
737  alerts = lookup_tsh->current_count;
738 
739  if (alerts == 3)
740  result = 1;
741  else {
742  printf("alerts %u != 3: ", alerts);
743  goto cleanup;
744  }
745 
746 cleanup:
749 
750  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
752 end:
753  UTHFreePackets(&p, 1);
754  HostShutdown();
755  return result;
756 }
757 
758 /**
759  * \test DetectThresholdTestSig4 is a test for checking the working of both keyword
760  * by setting up the signature and later testing its working by matching
761  * the received packet against the sig.
762  *
763  * \retval 1 on success
764  * \retval 0 on failure
765  */
766 
767 static int DetectThresholdTestSig4(void)
768 {
769  Packet *p = NULL;
770  Signature *s = NULL;
771  ThreadVars th_v;
772  DetectEngineThreadCtx *det_ctx;
773  int result = 0;
774  int alerts = 0;
775  struct timeval ts;
776 
778 
779  memset (&ts, 0, sizeof(struct timeval));
780  TimeGet(&ts);
781 
782  memset(&th_v, 0, sizeof(th_v));
783 
784  p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
785 
787  if (de_ctx == NULL) {
788  goto end;
789  }
790 
791  de_ctx->flags |= DE_QUIET;
792 
793  s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold both\"; threshold: type both, track by_dst, count 2, seconds 60; sid:10;)");
794  if (s == NULL) {
795  goto end;
796  }
797 
799  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
800 
801  TimeGet(&p->ts);
802  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
803  alerts = PacketAlertCheck(p, 10);
804  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
805  alerts += PacketAlertCheck(p, 10);
806  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
807  alerts += PacketAlertCheck(p, 10);
808 
810  TimeGet(&p->ts);
811 
812  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
813  alerts += PacketAlertCheck(p, 10);
814  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
815  alerts += PacketAlertCheck(p, 10);
816  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
817  alerts += PacketAlertCheck(p, 10);
818 
819  if (alerts == 2)
820  result = 1;
821  else
822  goto cleanup;
823 
824 cleanup:
827 
828  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
830 end:
831  UTHFreePackets(&p, 1);
832  HostShutdown();
833  return result;
834 }
835 
836 /**
837  * \test DetectThresholdTestSig5 is a test for checking the working of limit keyword
838  * by setting up the signature and later testing its working by matching
839  * the received packet against the sig.
840  *
841  * \retval 1 on success
842  * \retval 0 on failure
843  */
844 
845 static int DetectThresholdTestSig5(void)
846 {
847  Packet *p = NULL;
848  Signature *s = NULL;
849  ThreadVars th_v;
850  DetectEngineThreadCtx *det_ctx;
851  int result = 0;
852  int alerts = 0;
853 
855 
856  memset(&th_v, 0, sizeof(th_v));
857  p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
858 
860  if (de_ctx == NULL) {
861  goto end;
862  }
863 
864  de_ctx->flags |= DE_QUIET;
865 
866  s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold limit sid 1\"; threshold: type limit, track by_dst, count 5, seconds 60; sid:1;)");
867  if (s == NULL) {
868  goto end;
869  }
870 
871  s = s->next = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold limit sid 1000\"; threshold: type limit, track by_dst, count 5, seconds 60; sid:1000;)");
872  if (s == NULL) {
873  goto end;
874  }
875 
877  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
878 
879  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
880  alerts = PacketAlertCheck(p, 1);
881  alerts += PacketAlertCheck(p, 1000);
882  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
883  alerts += PacketAlertCheck(p, 1);
884  alerts += PacketAlertCheck(p, 1000);
885  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
886  alerts += PacketAlertCheck(p, 1);
887  alerts += PacketAlertCheck(p, 1000);
888  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
889  alerts += PacketAlertCheck(p, 1);
890  alerts += PacketAlertCheck(p, 1000);
891  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
892  alerts += PacketAlertCheck(p, 1);
893  alerts += PacketAlertCheck(p, 1000);
894  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
895  alerts += PacketAlertCheck(p, 1);
896  alerts += PacketAlertCheck(p, 1000);
897  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
898  alerts += PacketAlertCheck(p, 1);
899  alerts += PacketAlertCheck(p, 1000);
900  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
901  alerts += PacketAlertCheck(p, 1);
902  alerts += PacketAlertCheck(p, 1000);
903 
904  if(alerts == 10)
905  result = 1;
906  else {
907  printf("alerts %d != 10: ", alerts);
908  goto cleanup;
909  }
910 
911 cleanup:
914 
915  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
917 
918 end:
919  UTHFreePackets(&p, 1);
920  HostShutdown();
921  return result;
922 }
923 
924 static int DetectThresholdTestSig6Ticks(void)
925 {
926  Packet *p = NULL;
927  Signature *s = NULL;
928  ThreadVars th_v;
929  DetectEngineThreadCtx *det_ctx;
930  int result = 0;
931  int alerts = 0;
932 
934 
935  memset(&th_v, 0, sizeof(th_v));
936  p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
937 
939  if (de_ctx == NULL) {
940  goto end;
941  }
942 
943  de_ctx->flags |= DE_QUIET;
944 
945  s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold limit sid 1\"; threshold: type limit, track by_dst, count 5, seconds 60; sid:1;)");
946  if (s == NULL) {
947  goto end;
948  }
949 
950  s = s->next = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold limit sid 1000\"; threshold: type limit, track by_dst, count 5, seconds 60; sid:1000;)");
951  if (s == NULL) {
952  goto end;
953  }
954 
956  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
957 
958  uint64_t ticks_start = 0;
959  uint64_t ticks_end = 0;
960 
961  ticks_start = UtilCpuGetTicks();
962  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
963  alerts = PacketAlertCheck(p, 1);
964  alerts += PacketAlertCheck(p, 1000);
965  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
966  alerts += PacketAlertCheck(p, 1);
967  alerts += PacketAlertCheck(p, 1000);
968  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
969  alerts += PacketAlertCheck(p, 1);
970  alerts += PacketAlertCheck(p, 1000);
971  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
972  alerts += PacketAlertCheck(p, 1);
973  alerts += PacketAlertCheck(p, 1000);
974  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
975  alerts += PacketAlertCheck(p, 1);
976  alerts += PacketAlertCheck(p, 1000);
977  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
978  alerts += PacketAlertCheck(p, 1);
979  alerts += PacketAlertCheck(p, 1000);
980  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
981  alerts += PacketAlertCheck(p, 1);
982  alerts += PacketAlertCheck(p, 1000);
983  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
984  alerts += PacketAlertCheck(p, 1);
985  alerts += PacketAlertCheck(p, 1000);
986  ticks_end = UtilCpuGetTicks();
987  printf("test run %"PRIu64"\n", (ticks_end - ticks_start));
988 
989  if(alerts == 10)
990  result = 1;
991  else
992  goto cleanup;
993 
994 cleanup:
997 
998  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1000 
1001 end:
1002  UTHFreePackets(&p, 1);
1003  HostShutdown();
1004  return result;
1005 }
1006 
1007 /**
1008  * \test Test drop action being set even if thresholded
1009  */
1010 static int DetectThresholdTestSig7(void)
1011 {
1012  Packet *p = NULL;
1013  Signature *s = NULL;
1014  ThreadVars th_v;
1015  DetectEngineThreadCtx *det_ctx;
1016  int result = 0;
1017  int alerts = 0;
1018  int drops = 0;
1019  struct timeval ts;
1020 
1022 
1023  memset (&ts, 0, sizeof(struct timeval));
1024  TimeGet(&ts);
1025 
1026  memset(&th_v, 0, sizeof(th_v));
1027 
1028  p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
1029 
1031  if (de_ctx == NULL) {
1032  goto end;
1033  }
1034 
1035  de_ctx->flags |= DE_QUIET;
1036 
1037  s = de_ctx->sig_list = SigInit(de_ctx,"drop tcp any any -> any 80 (threshold: type limit, track by_src, count 1, seconds 300; sid:10;)");
1038  if (s == NULL) {
1039  goto end;
1040  }
1041 
1043  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1044 
1045  TimeGet(&p->ts);
1046  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1047  alerts = PacketAlertCheck(p, 10);
1048  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1049  p->action = 0;
1050 
1051  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1052  alerts += PacketAlertCheck(p, 10);
1053  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1054  p->action = 0;
1055 
1056  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1057  alerts += PacketAlertCheck(p, 10);
1058  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1059  p->action = 0;
1060 
1061  TimeSetIncrementTime(200);
1062  TimeGet(&p->ts);
1063 
1064  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1065  alerts += PacketAlertCheck(p, 10);
1066  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1067  p->action = 0;
1068 
1069  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1070  alerts += PacketAlertCheck(p, 10);
1071  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1072  p->action = 0;
1073 
1074  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1075  alerts += PacketAlertCheck(p, 10);
1076  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1077  p->action = 0;
1078 
1079  if (alerts == 1 && drops == 6)
1080  result = 1;
1081  else {
1082  if (alerts != 1)
1083  printf("alerts: %d != 1: ", alerts);
1084  if (drops != 6)
1085  printf("drops: %d != 6: ", drops);
1086  goto cleanup;
1087  }
1088 
1089 cleanup:
1092 
1093  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1095 end:
1096  UTHFreePackets(&p, 1);
1097  HostShutdown();
1098  return result;
1099 }
1100 
1101 /**
1102  * \test Test drop action being set even if thresholded
1103  */
1104 static int DetectThresholdTestSig8(void)
1105 {
1106  Packet *p = NULL;
1107  Signature *s = NULL;
1108  ThreadVars th_v;
1109  DetectEngineThreadCtx *det_ctx;
1110  int result = 0;
1111  int alerts = 0;
1112  int drops = 0;
1113  struct timeval ts;
1114 
1116 
1117  memset (&ts, 0, sizeof(struct timeval));
1118  TimeGet(&ts);
1119 
1120  memset(&th_v, 0, sizeof(th_v));
1121 
1122  p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
1123 
1125  if (de_ctx == NULL) {
1126  goto end;
1127  }
1128 
1129  de_ctx->flags |= DE_QUIET;
1130 
1131  s = de_ctx->sig_list = SigInit(de_ctx,"drop tcp any any -> any 80 (threshold: type limit, track by_src, count 2, seconds 300; sid:10;)");
1132  if (s == NULL) {
1133  goto end;
1134  }
1135 
1137  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1138 
1139  TimeGet(&p->ts);
1140  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1141  alerts = PacketAlertCheck(p, 10);
1142  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1143  p->action = 0;
1144 
1145  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1146  alerts += PacketAlertCheck(p, 10);
1147  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1148  p->action = 0;
1149 
1150  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1151  alerts += PacketAlertCheck(p, 10);
1152  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1153  p->action = 0;
1154 
1155  TimeSetIncrementTime(200);
1156  TimeGet(&p->ts);
1157 
1158  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1159  alerts += PacketAlertCheck(p, 10);
1160  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1161  p->action = 0;
1162 
1163  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1164  alerts += PacketAlertCheck(p, 10);
1165  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1166  p->action = 0;
1167 
1168  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1169  alerts += PacketAlertCheck(p, 10);
1170  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1171  p->action = 0;
1172 
1173  if (alerts == 2 && drops == 6)
1174  result = 1;
1175  else {
1176  if (alerts != 1)
1177  printf("alerts: %d != 1: ", alerts);
1178  if (drops != 6)
1179  printf("drops: %d != 6: ", drops);
1180  goto cleanup;
1181  }
1182 
1183 cleanup:
1186 
1187  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1189 end:
1190  UTHFreePackets(&p, 1);
1191  HostShutdown();
1192  return result;
1193 }
1194 
1195 /**
1196  * \test Test drop action being set even if thresholded
1197  */
1198 static int DetectThresholdTestSig9(void)
1199 {
1200  Packet *p = NULL;
1201  Signature *s = NULL;
1202  ThreadVars th_v;
1203  DetectEngineThreadCtx *det_ctx;
1204  int result = 0;
1205  int alerts = 0;
1206  int drops = 0;
1207  struct timeval ts;
1208 
1210 
1211  memset (&ts, 0, sizeof(struct timeval));
1212  TimeGet(&ts);
1213 
1214  memset(&th_v, 0, sizeof(th_v));
1215 
1216  p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
1217 
1219  if (de_ctx == NULL) {
1220  goto end;
1221  }
1222 
1223  de_ctx->flags |= DE_QUIET;
1224 
1225  s = de_ctx->sig_list = SigInit(de_ctx,"drop tcp any any -> any 80 (threshold: type threshold, track by_src, count 3, seconds 100; sid:10;)");
1226  if (s == NULL) {
1227  goto end;
1228  }
1229 
1231  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1232 
1233  TimeGet(&p->ts);
1234  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1235  alerts = PacketAlertCheck(p, 10);
1236  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1237  p->action = 0;
1238 
1239  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1240  alerts += PacketAlertCheck(p, 10);
1241  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1242  p->action = 0;
1243 
1244  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1245  alerts += PacketAlertCheck(p, 10);
1246  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1247  p->action = 0;
1248 
1249  TimeSetIncrementTime(200);
1250  TimeGet(&p->ts);
1251 
1252  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1253  alerts += PacketAlertCheck(p, 10);
1254  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1255  p->action = 0;
1256 
1257  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1258  alerts += PacketAlertCheck(p, 10);
1259  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1260  p->action = 0;
1261 
1262  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1263  alerts += PacketAlertCheck(p, 10);
1264  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1265  p->action = 0;
1266 
1267  if (alerts == 2 && drops == 2)
1268  result = 1;
1269  else {
1270  if (alerts != 2)
1271  printf("alerts: %d != 2: ", alerts);
1272  if (drops != 2)
1273  printf("drops: %d != 2: ", drops);
1274  goto cleanup;
1275  }
1276 
1277 cleanup:
1280 
1281  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1283 end:
1284  UTHFreePackets(&p, 1);
1285  HostShutdown();
1286  return result;
1287 }
1288 
1289 /**
1290  * \test Test drop action being set even if thresholded
1291  */
1292 static int DetectThresholdTestSig10(void)
1293 {
1294  Packet *p = NULL;
1295  Signature *s = NULL;
1296  ThreadVars th_v;
1297  DetectEngineThreadCtx *det_ctx;
1298  int result = 0;
1299  int alerts = 0;
1300  int drops = 0;
1301  struct timeval ts;
1302 
1304 
1305  memset (&ts, 0, sizeof(struct timeval));
1306  TimeGet(&ts);
1307 
1308  memset(&th_v, 0, sizeof(th_v));
1309 
1310  p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
1311 
1313  if (de_ctx == NULL) {
1314  goto end;
1315  }
1316 
1317  de_ctx->flags |= DE_QUIET;
1318 
1319  s = de_ctx->sig_list = SigInit(de_ctx,"drop tcp any any -> any 80 (threshold: type threshold, track by_src, count 5, seconds 300; sid:10;)");
1320  if (s == NULL) {
1321  goto end;
1322  }
1323 
1325  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1326 
1327  TimeGet(&p->ts);
1328  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1329  alerts = PacketAlertCheck(p, 10);
1330  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1331  p->action = 0;
1332 
1333  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1334  alerts += PacketAlertCheck(p, 10);
1335  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1336  p->action = 0;
1337 
1338  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1339  alerts += PacketAlertCheck(p, 10);
1340  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1341  p->action = 0;
1342 
1343  TimeSetIncrementTime(200);
1344  TimeGet(&p->ts);
1345 
1346  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1347  alerts += PacketAlertCheck(p, 10);
1348  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1349  p->action = 0;
1350 
1351  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1352  alerts += PacketAlertCheck(p, 10);
1353  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1354  p->action = 0;
1355 
1356  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1357  alerts += PacketAlertCheck(p, 10);
1358  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1359  p->action = 0;
1360 
1361  if (alerts == 1 && drops == 1)
1362  result = 1;
1363  else {
1364  if (alerts != 1)
1365  printf("alerts: %d != 1: ", alerts);
1366  if (drops != 1)
1367  printf("drops: %d != 1: ", drops);
1368  goto cleanup;
1369  }
1370 
1371 cleanup:
1374 
1375  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1377 end:
1378  UTHFreePackets(&p, 1);
1379  HostShutdown();
1380  return result;
1381 }
1382 
1383 /**
1384  * \test Test drop action being set even if thresholded
1385  */
1386 static int DetectThresholdTestSig11(void)
1387 {
1388  Packet *p = NULL;
1389  Signature *s = NULL;
1390  ThreadVars th_v;
1391  DetectEngineThreadCtx *det_ctx;
1392  int result = 0;
1393  int alerts = 0;
1394  int drops = 0;
1395  struct timeval ts;
1396 
1398 
1399  memset (&ts, 0, sizeof(struct timeval));
1400  TimeGet(&ts);
1401 
1402  memset(&th_v, 0, sizeof(th_v));
1403 
1404  p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
1405 
1407  if (de_ctx == NULL) {
1408  goto end;
1409  }
1410 
1411  de_ctx->flags |= DE_QUIET;
1412 
1413  s = de_ctx->sig_list = SigInit(de_ctx,"drop tcp any any -> any 80 (threshold: type both, track by_src, count 3, seconds 300; sid:10;)");
1414  if (s == NULL) {
1415  goto end;
1416  }
1417 
1419  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1420 
1421  TimeGet(&p->ts);
1422  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1423  alerts = PacketAlertCheck(p, 10);
1424  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1425  p->action = 0;
1426 
1427  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1428  alerts += PacketAlertCheck(p, 10);
1429  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1430  p->action = 0;
1431 
1432  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1433  alerts += PacketAlertCheck(p, 10);
1434  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1435  p->action = 0;
1436 
1437  TimeSetIncrementTime(200);
1438  TimeGet(&p->ts);
1439 
1440  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1441  alerts += PacketAlertCheck(p, 10);
1442  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1443  p->action = 0;
1444 
1445  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1446  alerts += PacketAlertCheck(p, 10);
1447  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1448  p->action = 0;
1449 
1450  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1451  alerts += PacketAlertCheck(p, 10);
1452  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1453  p->action = 0;
1454 
1455  if (alerts == 1 && drops == 4)
1456  result = 1;
1457  else {
1458  if (alerts != 1)
1459  printf("alerts: %d != 1: ", alerts);
1460  if (drops != 4)
1461  printf("drops: %d != 4: ", drops);
1462  goto cleanup;
1463  }
1464 
1465 cleanup:
1468 
1469  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1471 end:
1472  UTHFreePackets(&p, 1);
1473  HostShutdown();
1474  return result;
1475 }
1476 
1477 /**
1478  * \test Test drop action being set even if thresholded
1479  */
1480 static int DetectThresholdTestSig12(void)
1481 {
1482  Packet *p = NULL;
1483  Signature *s = NULL;
1484  ThreadVars th_v;
1485  DetectEngineThreadCtx *det_ctx;
1486  int result = 0;
1487  int alerts = 0;
1488  int drops = 0;
1489  struct timeval ts;
1490 
1492 
1493  memset (&ts, 0, sizeof(struct timeval));
1494  TimeGet(&ts);
1495 
1496  memset(&th_v, 0, sizeof(th_v));
1497 
1498  p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
1499 
1501  if (de_ctx == NULL) {
1502  goto end;
1503  }
1504 
1505  de_ctx->flags |= DE_QUIET;
1506 
1507  s = de_ctx->sig_list = SigInit(de_ctx,"drop tcp any any -> any 80 (threshold: type both, track by_src, count 5, seconds 300; sid:10;)");
1508  if (s == NULL) {
1509  goto end;
1510  }
1511 
1513  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1514 
1515  TimeGet(&p->ts);
1516  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1517  alerts = PacketAlertCheck(p, 10);
1518  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1519  p->action = 0;
1520 
1521  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1522  alerts += PacketAlertCheck(p, 10);
1523  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1524  p->action = 0;
1525 
1526  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1527  alerts += PacketAlertCheck(p, 10);
1528  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1529  p->action = 0;
1530 
1531  TimeSetIncrementTime(200);
1532  TimeGet(&p->ts);
1533 
1534  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1535  alerts += PacketAlertCheck(p, 10);
1536  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1537  p->action = 0;
1538 
1539  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1540  alerts += PacketAlertCheck(p, 10);
1541  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1542  p->action = 0;
1543 
1544  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1545  alerts += PacketAlertCheck(p, 10);
1546  drops += ((PacketTestAction(p, ACTION_DROP)) ? 1 : 0);
1547  p->action = 0;
1548 
1549  if (alerts == 1 && drops == 2)
1550  result = 1;
1551  else {
1552  if (alerts != 1)
1553  printf("alerts: %d != 1: ", alerts);
1554  if (drops != 2)
1555  printf("drops: %d != 2: ", drops);
1556  goto cleanup;
1557  }
1558 
1559 cleanup:
1562 
1563  DetectEngineThreadCtxDeinit(&th_v, (void*)det_ctx);
1565 end:
1566  UTHFreePackets(&p, 1);
1567  HostShutdown();
1568  return result;
1569 }
1570 
1571 /**
1572  * \test DetectThresholdTestSig13 is a test for checking the working by_rule limits
1573  * by setting up the signature and later testing its working by matching
1574  * received packets against the sig.
1575  *
1576  * \retval 1 on success
1577  * \retval 0 on failure
1578  */
1579 
1580 static int DetectThresholdTestSig13(void)
1581 {
1582  Packet *p = NULL;
1583  Signature *s = NULL;
1584  ThreadVars th_v;
1585  DetectEngineThreadCtx *det_ctx;
1586  int alerts = 0;
1587 
1589 
1590  memset(&th_v, 0, sizeof(th_v));
1591  p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
1592  FAIL_IF_NULL(p);
1593 
1596 
1597  de_ctx->flags |= DE_QUIET;
1598 
1599  s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold limit sid 1\"; threshold: type limit, track by_rule, count 2, seconds 60; sid:1;)");
1600  FAIL_IF_NULL(s);
1601 
1603  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1604 
1605  /* should alert twice */
1606  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1607  alerts += PacketAlertCheck(p, 1);
1608  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1609  alerts += PacketAlertCheck(p, 1);
1610  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1611  alerts += PacketAlertCheck(p, 1);
1612  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1613  alerts += PacketAlertCheck(p, 1);
1614 
1615  FAIL_IF(alerts != 2);
1616 
1618  TimeGet(&p->ts);
1619 
1620  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1621  alerts += PacketAlertCheck(p, 1);
1622  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1623  alerts += PacketAlertCheck(p, 1);
1624  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1625  alerts += PacketAlertCheck(p, 1);
1626  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
1627  alerts += PacketAlertCheck(p, 1);
1628 
1629  FAIL_IF(alerts != 4);
1630 
1633  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1635  UTHFreePackets(&p, 1);
1636  HostShutdown();
1637  PASS;
1638 }
1639 
1640 /**
1641  * \test DetectThresholdTestSig14 is a test for checking the working by_both limits
1642  * by setting up the signature and later testing its working by matching
1643  * received packets against the sig.
1644  *
1645  * \retval 1 on success
1646  * \retval 0 on failure
1647  */
1648 
1649 static int DetectThresholdTestSig14(void)
1650 {
1651  Packet *p1 = NULL;
1652  Packet *p2 = NULL;
1653  Signature *s = NULL;
1654  ThreadVars th_v;
1655  DetectEngineThreadCtx *det_ctx;
1656  int alerts1 = 0;
1657  int alerts2 = 0;
1658 
1661 
1662  memset(&th_v, 0, sizeof(th_v));
1663  p1 = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
1664  p2 = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "3.3.3.3", 1024, 80);
1665  FAIL_IF_NULL(p1);
1666  FAIL_IF_NULL(p2);
1667 
1670 
1671  de_ctx->flags |= DE_QUIET;
1672 
1673  s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold limit sid 1\"; threshold: type limit, track by_both, count 2, seconds 60; sid:1;)");
1674  FAIL_IF_NULL(s);
1675 
1677  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
1678 
1679  /* Both p1 and p2 should alert twice */
1680  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1681  alerts1 += PacketAlertCheck(p1, 1);
1682  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1683  alerts1 += PacketAlertCheck(p1, 1);
1684  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1685  alerts1 += PacketAlertCheck(p1, 1);
1686  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1687  alerts1 += PacketAlertCheck(p1, 1);
1688 
1689  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1690  alerts2 += PacketAlertCheck(p2, 1);
1691  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1692  alerts2 += PacketAlertCheck(p2, 1);
1693  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1694  alerts2 += PacketAlertCheck(p2, 1);
1695  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1696  alerts2 += PacketAlertCheck(p2, 1);
1697 
1698  FAIL_IF(alerts1 != 2);
1699  FAIL_IF(alerts2 != 2);
1700 
1702  TimeGet(&p1->ts);
1703  TimeGet(&p2->ts);
1704 
1705  /* Now they should both alert again after previous alerts expire */
1706  SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
1707  alerts1 += PacketAlertCheck(p1, 1);
1708  SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
1709  alerts2 += PacketAlertCheck(p2, 1);
1710 
1711  FAIL_IF(alerts1 != 3);
1712  FAIL_IF(alerts2 != 3);
1713 
1716  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
1718  UTHFreePackets(&p1, 1);
1719  UTHFreePackets(&p2, 1);
1720  HostShutdown();
1721  PASS;
1722 }
1723 
1724 static void ThresholdRegisterTests(void)
1725 {
1726  UtRegisterTest("ThresholdTestParse01", ThresholdTestParse01);
1727  UtRegisterTest("ThresholdTestParse02", ThresholdTestParse02);
1728  UtRegisterTest("ThresholdTestParse03", ThresholdTestParse03);
1729  UtRegisterTest("ThresholdTestParse04", ThresholdTestParse04);
1730  UtRegisterTest("ThresholdTestParse05", ThresholdTestParse05);
1731  UtRegisterTest("ThresholdTestParse06", ThresholdTestParse06);
1732  UtRegisterTest("ThresholdTestParse07", ThresholdTestParse07);
1733  UtRegisterTest("DetectThresholdTestSig1", DetectThresholdTestSig1);
1734  UtRegisterTest("DetectThresholdTestSig2", DetectThresholdTestSig2);
1735  UtRegisterTest("DetectThresholdTestSig3", DetectThresholdTestSig3);
1736  UtRegisterTest("DetectThresholdTestSig4", DetectThresholdTestSig4);
1737  UtRegisterTest("DetectThresholdTestSig5", DetectThresholdTestSig5);
1738  UtRegisterTest("DetectThresholdTestSig6Ticks",
1739  DetectThresholdTestSig6Ticks);
1740  UtRegisterTest("DetectThresholdTestSig7", DetectThresholdTestSig7);
1741  UtRegisterTest("DetectThresholdTestSig8", DetectThresholdTestSig8);
1742  UtRegisterTest("DetectThresholdTestSig9", DetectThresholdTestSig9);
1743  UtRegisterTest("DetectThresholdTestSig10", DetectThresholdTestSig10);
1744  UtRegisterTest("DetectThresholdTestSig11", DetectThresholdTestSig11);
1745  UtRegisterTest("DetectThresholdTestSig12", DetectThresholdTestSig12);
1746  UtRegisterTest("DetectThresholdTestSig13", DetectThresholdTestSig13);
1747  UtRegisterTest("DetectThresholdTestSig14", DetectThresholdTestSig14);
1748 }
1749 #endif /* UNITTESTS */
1750 
1751 /**
1752  * @}
1753  */
TRACK_BOTH
#define TRACK_BOTH
Definition: detect-threshold.h:42
util-byte.h
host.h
SigTableElmt_::url
const char * url
Definition: detect.h:1204
ts
uint64_t ts
Definition: source-erf-file.c:54
detect-engine.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
host-storage.h
IPPairInitConfig
void IPPairInitConfig(bool quiet)
initialize the configuration
Definition: ippair.c:168
SigTableElmt_::desc
const char * desc
Definition: detect.h:1203
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1191
util-hashlist.h
SigTableElmt_::name
const char * name
Definition: detect.h:1201
stream-tcp.h
MAX_SUBSTRINGS
#define MAX_SUBSTRINGS
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DetectAddress_
address structure for use in the detection engine.
Definition: detect.h:139
DetectAddressHeadCleanup
void DetectAddressHeadCleanup(DetectAddressHead *gh)
Cleans a DetectAddressHead. The functions frees the address group heads(ipv4 and ipv6) inside the Det...
Definition: detect-engine-address.c:1523
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:138
Packet_::action
uint8_t action
Definition: decode.h:555
SigInit
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
Definition: detect-parse.c:2076
DETECT_SM_LIST_THRESHOLD
@ DETECT_SM_LIST_THRESHOLD
Definition: detect.h:104
HostRelease
void HostRelease(Host *h)
Definition: host.c:477
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1195
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:758
TYPE_LIMIT
#define TYPE_LIMIT
Definition: detect-threshold.h:31
SC_ERR_INVALID_SIGNATURE
@ SC_ERR_INVALID_SIGNATURE
Definition: util-error.h:69
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2067
TRACK_DST
#define TRACK_DST
Definition: detect-detection-filter.c:43
HostGetStorageById
void * HostGetStorageById(Host *h, HostStorageId id)
Get a value from a given Host storage.
Definition: host-storage.c:88
DE_QUIET
#define DE_QUIET
Definition: detect.h:294
DetectThresholdEntry_
Definition: detect-threshold.h:68
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1653
SC_ERR_PCRE_GET_SUBSTRING
@ SC_ERR_PCRE_GET_SUBSTRING
Definition: util-error.h:34
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:41
UTHBuildPacketReal
Packet * UTHBuildPacketReal(uint8_t *payload, uint16_t payload_len, uint8_t ipproto, const char *src, const char *dst, uint16_t sport, uint16_t dport)
UTHBuildPacketReal is a function that create tcp/udp packets for unittests specifying ip and port sou...
Definition: util-unittest-helper.c:242
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1186
ThresholdHostHasThreshold
int ThresholdHostHasThreshold(Host *host)
Definition: detect-engine-threshold.c:94
util-unittest.h
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression to true.
Definition: util-unittest.h:82
UtilCpuGetTicks
uint64_t UtilCpuGetTicks(void)
Definition: util-cpu.c:190
DetectAddress_::prev
struct DetectAddress_ * prev
Definition: detect.h:148
Signature_::next
struct Signature_ * next
Definition: detect.h:590
TRACK_RULE
#define TRACK_RULE
Definition: detect-threshold.h:40
decode.h
util-debug.h
SC_ERR_PCRE_MATCH
@ SC_ERR_PCRE_MATCH
Definition: util-error.h:32
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1003
util-cpu.h
DETECT_THRESHOLD
@ DETECT_THRESHOLD
Definition: detect-engine-register.h:55
res
PoolThreadReserved res
Definition: stream-tcp-private.h:0
DetectSetupParseRegexes
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Definition: detect-parse.c:2513
PARSE_REGEX
#define PARSE_REGEX
Definition: detect-threshold.c:62
detect-engine-mpm.h
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
de
int de
Definition: app-layer-htp.c:574
util-time.h
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:323
TYPE_BOTH
#define TYPE_BOTH
Definition: detect-threshold.h:32
DetectAddressCopy
DetectAddress * DetectAddressCopy(DetectAddress *orig)
copy a DetectAddress
Definition: detect-engine-address.c:128
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:2001
Signature_::flags
uint32_t flags
Definition: detect.h:518
TimeSetIncrementTime
void TimeSetIncrementTime(uint32_t tv_sec)
increment the time in the engine
Definition: util-time.c:182
ThresholdHostStorageId
HostStorageId ThresholdHostStorageId(void)
Definition: detect-engine-threshold.c:75
DetectParsePcreExec
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options, int *ovector, int ovector_size)
Definition: detect-parse.c:2443
Packet_
Definition: decode.h:414
SIG_FLAG_IPONLY
#define SIG_FLAG_IPONLY
Definition: detect.h:219
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1169
SigMatchAlloc
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:235
decode-events.h
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1934
SigMatch_::type
uint8_t type
Definition: detect.h:321
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:315
IPPAIR_QUIET
#define IPPAIR_QUIET
Definition: ippair.h:90
DetectAddressHead_::ipv6_head
DetectAddress * ipv6_head
Definition: detect.h:156
StringParseUint32
int StringParseUint32(uint32_t *res, int base, uint16_t len, const char *str)
Definition: util-byte.c:313
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:2771
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71
Packet_::ts
struct timeval ts
Definition: decode.h:457
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:2979
DetectThresholdData_
Definition: detect-threshold.h:57
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:73
DetectParseRegex_
Definition: detect-parse.h:42
ACTION_DROP
#define ACTION_DROP
Definition: action-globals.h:30
HOST_QUIET
#define HOST_QUIET
Definition: host.h:93
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:257
HostShutdown
void HostShutdown(void)
shutdown the flow engine
Definition: host.c:305
SCStrdup
#define SCStrdup(s)
Definition: util-mem.h:56
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:764
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
TYPE_THRESHOLD
#define TYPE_THRESHOLD
Definition: detect-threshold.h:33
DETECT_DETECTION_FILTER
@ DETECT_DETECTION_FILTER
Definition: detect-engine-register.h:98
SCFree
#define SCFree(p)
Definition: util-mem.h:61
detect-parse.h
Signature_
Signature container.
Definition: detect.h:517
SigMatch_
a single match condition for a signature
Definition: detect.h:320
detect-threshold.h
DetectAddress_::next
struct DetectAddress_ * next
Definition: detect.h:150
DetectThresholdRegister
void DetectThresholdRegister(void)
Registration function for threshold: keyword.
Definition: detect-threshold.c:78
TimeGet
void TimeGet(struct timeval *tv)
Definition: util-time.c:153
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2022
HostLookupHostFromHash
Host * HostLookupHostFromHash(Address *a)
look up a host in the hash
Definition: host.c:601
suricata.h
Packet_::dst
Address dst
Definition: decode.h:419
TRACK_SRC
#define TRACK_SRC
Definition: detect-detection-filter.c:44
HostInitConfig
void HostInitConfig(bool quiet)
initialize the configuration
Definition: host.c:173
DetectGetLastSMFromLists
SigMatch * DetectGetLastSMFromLists(const Signature *s,...)
Returns the sm with the largest index (added latest) from the lists passed to us.
Definition: detect-parse.c:468
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:759
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
Host_
Definition: host.h:58
SCReturnInt
#define SCReturnInt(x)
Definition: util-debug.h:304
DetectThresholdDataCopy
DetectThresholdData * DetectThresholdDataCopy(DetectThresholdData *de)
Make a deep-copy of an extant DetectTHresholdData object.
Definition: detect-threshold.c:291
flow-var.h
SIGMATCH_IPONLY_COMPAT
#define SIGMATCH_IPONLY_COMPAT
Definition: detect.h:1375
DetectAddressHead_::ipv4_head
DetectAddress * ipv4_head
Definition: detect.h:155
SigMatchAppendSMToList
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:349
detect-engine-address.h
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1193
detect-engine-threshold.h
DetectThresholdData_::addrs
DetectAddressHead addrs
Definition: detect-threshold.h:65
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:468