suricata
Files | Data Structures | Macros | Typedefs | Functions | Variables
Thresholding

This feature is used to reduce the number of logged alerts for noisy rules. This can be tuned to significantly reduce false alarms, and it can also be used to write a newer breed of rules. Thresholding commands limit the number of times a particular event is logged during a specified time interval. More...

Files

file  detect-engine-threshold.c
 
file  detect-threshold.c
 
file  util-threshold-config.c
 

Data Structures

struct  Thresholds
 
struct  ThresholdEntry_
 
struct  ThresholdCacheItem
 
struct  FlowThresholdEntryList_
 
struct  FlowVarThreshold_
 

Macros

#define SID   0
 
#define GID   1
 
#define REV   2
 
#define TRACK   3
 
#define TENANT   4
 
#define TC_ADDRESS   0
 
#define TC_SID   1
 
#define TC_GID   2
 
#define TC_REV   3
 
#define TC_TENANT   4
 

Typedefs

typedef struct ThresholdEntry_ ThresholdEntry
 
typedef struct ThresholdCacheItem ThresholdCacheItem
 
typedef struct FlowThresholdEntryList_ FlowThresholdEntryList
 
typedef struct FlowVarThreshold_ FlowVarThreshold
 

Functions

void ThresholdInit (void)
 
void ThresholdDestroy (void)
 
uint32_t ThresholdsExpire (const SCTime_t ts)
 
 RB_HEAD (THRESHOLD_CACHE, ThresholdCacheItem)
 
 RB_PROTOTYPE (THRESHOLD_CACHE, ThresholdCacheItem, rb, ThresholdCacheTreeCompareFunc)
 
 RB_GENERATE (THRESHOLD_CACHE, ThresholdCacheItem, rb, ThresholdCacheTreeCompareFunc)
 
void ThresholdCacheThreadFree (void)
 
const DetectThresholdDataSigGetThresholdTypeIter (const Signature *sig, const SigMatchData **psm, int list)
 Return next DetectThresholdData for signature. More...
 
void FlowThresholdVarFree (void *ptr)
 
int PacketAlertThreshold (const DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectThresholdData *td, Packet *p, const Signature *s, PacketAlert *pa)
 Make the threshold logic for signatures. More...
 

Variables

struct Thresholds ctx
 
thread_local uint64_t cache_lookup_cnt = 0
 
thread_local uint64_t cache_lookup_notinit = 0
 
thread_local uint64_t cache_lookup_nosupport = 0
 
thread_local uint64_t cache_lookup_miss_expired = 0
 
thread_local uint64_t cache_lookup_miss = 0
 
thread_local uint64_t cache_lookup_hit = 0
 
thread_local uint64_t cache_housekeeping_check = 0
 
thread_local uint64_t cache_housekeeping_expired = 0
 
thread_local struct THRESHOLD_CACHE threshold_cache_tree
 
thread_local uint64_t threshold_cache_housekeeping_ts = 0
 

Detailed Description

This feature is used to reduce the number of logged alerts for noisy rules. This can be tuned to significantly reduce false alarms, and it can also be used to write a newer breed of rules. Thresholding commands limit the number of times a particular event is logged during a specified time interval.

Macro Definition Documentation

◆ GID

#define GID   1

Definition at line 78 of file detect-engine-threshold.c.

◆ REV

#define REV   2

Definition at line 79 of file detect-engine-threshold.c.

◆ SID

#define SID   0

Definition at line 77 of file detect-engine-threshold.c.

◆ TC_ADDRESS

#define TC_ADDRESS   0

Definition at line 239 of file detect-engine-threshold.c.

◆ TC_GID

#define TC_GID   2

Definition at line 241 of file detect-engine-threshold.c.

◆ TC_REV

#define TC_REV   3

Definition at line 242 of file detect-engine-threshold.c.

◆ TC_SID

#define TC_SID   1

Definition at line 240 of file detect-engine-threshold.c.

◆ TC_TENANT

#define TC_TENANT   4

Definition at line 243 of file detect-engine-threshold.c.

◆ TENANT

#define TENANT   4

Definition at line 81 of file detect-engine-threshold.c.

◆ TRACK

#define TRACK   3

Definition at line 80 of file detect-engine-threshold.c.

Typedef Documentation

◆ FlowThresholdEntryList

typedef struct FlowThresholdEntryList_ FlowThresholdEntryList

◆ FlowVarThreshold

typedef struct FlowVarThreshold_ FlowVarThreshold

struct for storing per flow thresholds. This will be stored in the Flow::flowvar list, so it needs to follow the GenericVar header format.

◆ ThresholdCacheItem

typedef struct ThresholdCacheItem ThresholdCacheItem

◆ ThresholdEntry

typedef struct ThresholdEntry_ ThresholdEntry

Function Documentation

◆ FlowThresholdVarFree()

void FlowThresholdVarFree ( void *  ptr)

Definition at line 533 of file detect-engine-threshold.c.

Referenced by SCGenericVarFree().

Here is the caller graph for this function:

◆ PacketAlertThreshold()

int PacketAlertThreshold ( const DetectEngineCtx de_ctx,
DetectEngineThreadCtx det_ctx,
const DetectThresholdData td,
Packet p,
const Signature s,
PacketAlert pa 
)

Make the threshold logic for signatures.

Parameters
de_ctxDetection Context
tsh_ptrThreshold element
pPacket structure
sSignature structure
Return values
2silent match (no alert but apply actions)
1alert on this event
0do not alert on this event

Definition at line 961 of file detect-engine-threshold.c.

References SCEnter, SCReturnInt, DetectThresholdData_::type, and TYPE_SUPPRESS.

◆ RB_GENERATE()

RB_GENERATE ( THRESHOLD_CACHE  ,
ThresholdCacheItem  ,
rb  ,
ThresholdCacheTreeCompareFunc   
)

◆ RB_HEAD()

RB_HEAD ( THRESHOLD_CACHE  ,
ThresholdCacheItem   
)

◆ RB_PROTOTYPE()

RB_PROTOTYPE ( THRESHOLD_CACHE  ,
ThresholdCacheItem  ,
rb  ,
ThresholdCacheTreeCompareFunc   
)

◆ SigGetThresholdTypeIter()

const DetectThresholdData* SigGetThresholdTypeIter ( const Signature sig,
const SigMatchData **  psm,
int  list 
)

Return next DetectThresholdData for signature.

Parameters
sigSignature pointer
psmPointer to a Signature Match pointer
listList to return data from
Return values
tshReturn the threshold data from signature or NULL if not found

Definition at line 473 of file detect-engine-threshold.c.

◆ ThresholdCacheThreadFree()

void ThresholdCacheThreadFree ( void  )

Definition at line 454 of file detect-engine-threshold.c.

◆ ThresholdDestroy()

void ThresholdDestroy ( void  )

Definition at line 71 of file detect-engine-threshold.c.

Referenced by GlobalsDestroy().

Here is the caller graph for this function:

◆ ThresholdInit()

void ThresholdInit ( void  )

Definition at line 66 of file detect-engine-threshold.c.

◆ ThresholdsExpire()

uint32_t ThresholdsExpire ( const SCTime_t  ts)

Definition at line 233 of file detect-engine-threshold.c.

References ctx, Thresholds::thash, THashExpire(), and ts.

Here is the call graph for this function:

Variable Documentation

◆ cache_housekeeping_check

thread_local uint64_t cache_housekeeping_check = 0

Definition at line 261 of file detect-engine-threshold.c.

◆ cache_housekeeping_expired

thread_local uint64_t cache_housekeeping_expired = 0

Definition at line 262 of file detect-engine-threshold.c.

◆ cache_lookup_cnt

thread_local uint64_t cache_lookup_cnt = 0

Definition at line 255 of file detect-engine-threshold.c.

◆ cache_lookup_hit

thread_local uint64_t cache_lookup_hit = 0

Definition at line 260 of file detect-engine-threshold.c.

◆ cache_lookup_miss

thread_local uint64_t cache_lookup_miss = 0

Definition at line 259 of file detect-engine-threshold.c.

◆ cache_lookup_miss_expired

thread_local uint64_t cache_lookup_miss_expired = 0

Definition at line 258 of file detect-engine-threshold.c.

◆ cache_lookup_nosupport

thread_local uint64_t cache_lookup_nosupport = 0

Definition at line 257 of file detect-engine-threshold.c.

◆ cache_lookup_notinit

thread_local uint64_t cache_lookup_notinit = 0

Definition at line 256 of file detect-engine-threshold.c.

◆ ctx

struct Thresholds ctx

Referenced by AppLayerParserRegisterUnittests(), AppLayerParserStateProtoCleanup(), CreateEveThreadCtx(), DetectBsizeMatch(), DetectBytejumpDoMatch(), DetectBytetestDoMatch(), DetectEngineContentInspection(), DetectEngineContentInspectionBuffer(), DetectEntropyDoMatch(), DetectFlowbitMatch(), DetectFlowintMatch(), DetectFlowMatch(), DetectFlowvarMatch(), EngineAnalysisRules2(), FirewallAnalyzer(), FreeEveThreadCtx(), OutputJsonBuilderBuffer(), OutputJsonFlush(), SCACDestroyCtx(), SCACPreparePatterns(), SCACPrintInfo(), SCACSearch(), SCACTilePreparePatterns(), SCACTilePrintInfo(), SCACTileSearchLarge(), SCDetectHelperKeywordRegister(), SCLuaSbGetContext(), SCProfilingKeywordThreadSetup(), SCProfilingPrefilterThreadSetup(), SCProfilingSghThreadSetup(), SpmDestroyCtx(), SpmScan(), THashCleanup(), THashConsolidateMemcap(), THashExpire(), THashInit(), THashWalk(), ThresholdsExpire(), TmqhOutputFlowFreeCtx(), TmqhOutputFlowHash(), TmqhOutputFlowIPPair(), and TmqhOutputFlowSetupCtx().

◆ threshold_cache_housekeeping_ts

thread_local uint64_t threshold_cache_housekeeping_ts = 0

Definition at line 289 of file detect-engine-threshold.c.

◆ threshold_cache_tree

thread_local struct THRESHOLD_CACHE threshold_cache_tree

Definition at line 288 of file detect-engine-threshold.c.