suricata
Thresholding

Files

file  detect-engine-threshold.c
 
file  detect-threshold.c
 
file  util-threshold-config.c
 

Functions

int ThresholdHostStorageId (void)
 
void ThresholdInit (void)
 
int ThresholdHostHasThreshold (Host *host)
 
const DetectThresholdDataSigGetThresholdTypeIter (const Signature *sig, Packet *p, const SigMatchData **psm, int list)
 Return next DetectThresholdData for signature. More...
 
int ThresholdTimeoutCheck (Host *host, struct timeval *tv)
 Remove timeout threshold hash elements. More...
 
int PacketAlertThreshold (DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectThresholdData *td, Packet *p, const Signature *s, PacketAlert *pa)
 Make the threshold logic for signatures. More...
 
void ThresholdHashInit (DetectEngineCtx *de_ctx)
 Init threshold context hash tables. More...
 
void ThresholdContextDestroy (DetectEngineCtx *de_ctx)
 Destroy threshold context hash tables. More...
 
void ThresholdListFree (void *ptr)
 this function will free all the entries of a list DetectTagDataEntry More...
 

Detailed Description

This feature is used to reduce the number of logged alerts for noisy rules. This can be tuned to significantly reduce false alarms, and it can also be used to write a newer breed of rules. Thresholding commands limit the number of times a particular event is logged during a specified time interval.

Function Documentation

◆ PacketAlertThreshold()

int PacketAlertThreshold ( DetectEngineCtx de_ctx,
DetectEngineThreadCtx det_ctx,
const DetectThresholdData td,
Packet p,
const Signature s,
PacketAlert pa 
)

Make the threshold logic for signatures.

Parameters
de_ctxDectection Context
tsh_ptrThreshold element
pPacket structure
sSignature structure
Return values
2silent match (no alert but apply actions)
1alert on this event
0do not alert on this event

Definition at line 582 of file detect-engine-threshold.c.

References SCEnter, SCReturnInt, DetectThresholdData_::type, and TYPE_SUPPRESS.

◆ SigGetThresholdTypeIter()

const DetectThresholdData* SigGetThresholdTypeIter ( const Signature sig,
Packet p,
const SigMatchData **  psm,
int  list 
)

Return next DetectThresholdData for signature.

Parameters
sigSignature pointer
pPacket structure
smPointer to a Signature Match pointer
Return values
tshReturn the threshold data from signature or NULL if not found

Definition at line 101 of file detect-engine-threshold.c.

◆ ThresholdContextDestroy()

void ThresholdContextDestroy ( DetectEngineCtx de_ctx)

Destroy threshold context hash tables.

Parameters
de_ctxDectection Context

Definition at line 636 of file detect-engine-threshold.c.

References SCFree, SCMutexDestroy, ThresholdCtx_::th_entry, ThresholdCtx_::threshold_table_lock, and DetectEngineCtx_::ths_ctx.

Referenced by DetectEngineCtxFree().

Here is the caller graph for this function:

◆ ThresholdHashInit()

void ThresholdHashInit ( DetectEngineCtx de_ctx)

Init threshold context hash tables.

Parameters
de_ctxDectection Context

Definition at line 621 of file detect-engine-threshold.c.

References SC_ERR_MEM_ALLOC, SCLogError, SCMutexInit, ThresholdCtx_::threshold_table_lock, and DetectEngineCtx_::ths_ctx.

◆ ThresholdHostHasThreshold()

int ThresholdHostHasThreshold ( Host host)

Definition at line 85 of file detect-engine-threshold.c.

References HostGetStorageById().

Here is the call graph for this function:

◆ ThresholdHostStorageId()

int ThresholdHostStorageId ( void  )

Definition at line 71 of file detect-engine-threshold.c.

◆ ThresholdInit()

void ThresholdInit ( void  )

Definition at line 76 of file detect-engine-threshold.c.

◆ ThresholdListFree()

void ThresholdListFree ( void *  ptr)

this function will free all the entries of a list DetectTagDataEntry

Parameters
tdpointer to DetectTagDataEntryList

Definition at line 649 of file detect-engine-threshold.c.

References DetectThresholdEntry_::next, and SCFree.

◆ ThresholdTimeoutCheck()

int ThresholdTimeoutCheck ( Host host,
struct timeval *  tv 
)

Remove timeout threshold hash elements.

Parameters
de_ctxDectection Context

Definition at line 150 of file detect-engine-threshold.c.

References HostGetStorageById().

Here is the call graph for this function: