This feature is used to reduce the number of logged alerts for noisy rules. This can be tuned to significantly reduce false alarms, and it can also be used to write a newer breed of rules. Thresholding commands limit the number of times a particular event is logged during a specified time interval. More...
Files | |
| file | detect-engine-threshold.c |
| file | detect-threshold.c |
| file | util-threshold-config.c |
Data Structures | |
| struct | Thresholds |
| struct | ThresholdEntry_ |
| struct | ThresholdCacheItem |
| struct | ThresholdCacheThreadCtx |
| struct | FlowThresholdEntryList_ |
| struct | FlowVarThreshold_ |
Macros | |
| #define | DF_PORT_BITMAP_SIZE (65536u / 8u) |
| #define | DF_PORT_BYTE_IDX(p) ((uint32_t)((p) >> 3)) |
| #define | DF_PORT_BIT_MASK(p) ((uint8_t)(1u << ((p)&7u))) |
| #define | SID 0 |
| #define | GID 1 |
| #define | REV 2 |
| #define | TRACK 3 |
| #define | TENANT 4 |
| #define | TC_ADDRESS 0 |
| #define | TC_SID 1 |
| #define | TC_GID 2 |
| #define | TC_REV 3 |
| #define | TC_TENANT 4 |
Typedefs | |
| typedef struct ThresholdEntry_ | ThresholdEntry |
| typedef struct ThresholdCacheItem | ThresholdCacheItem |
| typedef struct FlowThresholdEntryList_ | FlowThresholdEntryList |
| typedef struct FlowVarThreshold_ | FlowVarThreshold |
Functions | |
| void | ThresholdForceAllocFail (int v) |
| uint64_t | ThresholdGetBitmapMemuse (void) |
| uint64_t | ThresholdGetBitmapAllocFail (void) |
| void | ThresholdInit (void) |
| void | ThresholdRegisterGlobalCounters (void) |
| void | ThresholdDestroy (void) |
| uint32_t | ThresholdsExpire (const SCTime_t ts) |
| RB_HEAD (THRESHOLD_CACHE, ThresholdCacheItem) | |
| RB_PROTOTYPE (THRESHOLD_CACHE, ThresholdCacheItem, rb, ThresholdCacheTreeCompareFunc) | |
| RB_GENERATE (THRESHOLD_CACHE, ThresholdCacheItem, rb, ThresholdCacheTreeCompareFunc) | |
| int | ThresholdCacheThreadInit (DetectEngineThreadCtx *det_ctx) |
| const DetectThresholdData * | SigGetThresholdTypeIter (const Signature *sig, const SigMatchData **psm, int list) |
| Return next DetectThresholdData for signature. More... | |
| void | FlowThresholdVarFree (void *ptr) |
| int | PacketAlertThreshold (const DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectThresholdData *td, Packet *p, const Signature *s, PacketAlert *pa) |
| Make the threshold logic for signatures. More... | |
Variables | |
| struct Thresholds | ctx |
Detailed Description
This feature is used to reduce the number of logged alerts for noisy rules. This can be tuned to significantly reduce false alarms, and it can also be used to write a newer breed of rules. Thresholding commands limit the number of times a particular event is logged during a specified time interval.
Macro Definition Documentation
◆ DF_PORT_BIT_MASK
Definition at line 96 of file detect-engine-threshold.c.
◆ DF_PORT_BITMAP_SIZE
| #define DF_PORT_BITMAP_SIZE (65536u / 8u) |
Definition at line 94 of file detect-engine-threshold.c.
◆ DF_PORT_BYTE_IDX
Definition at line 95 of file detect-engine-threshold.c.
◆ GID
| #define GID 1 |
Definition at line 152 of file detect-engine-threshold.c.
◆ REV
| #define REV 2 |
Definition at line 153 of file detect-engine-threshold.c.
◆ SID
| #define SID 0 |
Definition at line 151 of file detect-engine-threshold.c.
◆ TC_ADDRESS
| #define TC_ADDRESS 0 |
Definition at line 386 of file detect-engine-threshold.c.
◆ TC_GID
| #define TC_GID 2 |
Definition at line 388 of file detect-engine-threshold.c.
◆ TC_REV
| #define TC_REV 3 |
Definition at line 389 of file detect-engine-threshold.c.
◆ TC_SID
| #define TC_SID 1 |
Definition at line 387 of file detect-engine-threshold.c.
◆ TC_TENANT
| #define TC_TENANT 4 |
Definition at line 390 of file detect-engine-threshold.c.
◆ TENANT
| #define TENANT 4 |
Definition at line 155 of file detect-engine-threshold.c.
◆ TRACK
| #define TRACK 3 |
Definition at line 154 of file detect-engine-threshold.c.
Typedef Documentation
◆ FlowThresholdEntryList
| typedef struct FlowThresholdEntryList_ FlowThresholdEntryList |
◆ FlowVarThreshold
| typedef struct FlowVarThreshold_ FlowVarThreshold |
struct for storing per flow thresholds. This will be stored in the Flow::flowvar list, so it needs to follow the GenericVar header format.
◆ ThresholdCacheItem
| typedef struct ThresholdCacheItem ThresholdCacheItem |
◆ ThresholdEntry
| typedef struct ThresholdEntry_ ThresholdEntry |
Function Documentation
◆ FlowThresholdVarFree()
| void FlowThresholdVarFree | ( | void * | ptr | ) |
Definition at line 737 of file detect-engine-threshold.c.
Referenced by SCGenericVarFree().
◆ PacketAlertThreshold()
| int PacketAlertThreshold | ( | const DetectEngineCtx * | de_ctx, |
| DetectEngineThreadCtx * | det_ctx, | ||
| const DetectThresholdData * | td, | ||
| Packet * | p, | ||
| const Signature * | s, | ||
| PacketAlert * | pa | ||
| ) |
Make the threshold logic for signatures.
- Parameters
-
de_ctx Detection Context tsh_ptr Threshold element p Packet structure s Signature structure
- Return values
-
2 silent match (no alert but apply actions) 1 alert on this event 0 do not alert on this event
Definition at line 1197 of file detect-engine-threshold.c.
References SCEnter, SCReturnInt, DetectThresholdData_::type, and TYPE_SUPPRESS.
◆ RB_GENERATE()
| RB_GENERATE | ( | THRESHOLD_CACHE | , |
| ThresholdCacheItem | , | ||
| rb | , | ||
| ThresholdCacheTreeCompareFunc | |||
| ) |
◆ RB_HEAD()
| RB_HEAD | ( | THRESHOLD_CACHE | , |
| ThresholdCacheItem | |||
| ) |
◆ RB_PROTOTYPE()
| RB_PROTOTYPE | ( | THRESHOLD_CACHE | , |
| ThresholdCacheItem | , | ||
| rb | , | ||
| ThresholdCacheTreeCompareFunc | |||
| ) |
◆ SigGetThresholdTypeIter()
| const DetectThresholdData* SigGetThresholdTypeIter | ( | const Signature * | sig, |
| const SigMatchData ** | psm, | ||
| int | list | ||
| ) |
Return next DetectThresholdData for signature.
- Parameters
-
sig Signature pointer psm Pointer to a Signature Match pointer list List to return data from
- Return values
-
tsh Return the threshold data from signature or NULL if not found
Definition at line 677 of file detect-engine-threshold.c.
◆ ThresholdCacheThreadInit()
| int ThresholdCacheThreadInit | ( | DetectEngineThreadCtx * | det_ctx | ) |
Definition at line 642 of file detect-engine-threshold.c.
◆ ThresholdDestroy()
| void ThresholdDestroy | ( | void | ) |
Definition at line 145 of file detect-engine-threshold.c.
Referenced by GlobalsDestroy().
◆ ThresholdForceAllocFail()
| void ThresholdForceAllocFail | ( | int | v | ) |
Definition at line 76 of file detect-engine-threshold.c.
◆ ThresholdGetBitmapAllocFail()
| uint64_t ThresholdGetBitmapAllocFail | ( | void | ) |
Definition at line 86 of file detect-engine-threshold.c.
References SC_ATOMIC_GET.
◆ ThresholdGetBitmapMemuse()
| uint64_t ThresholdGetBitmapMemuse | ( | void | ) |
Definition at line 81 of file detect-engine-threshold.c.
References SC_ATOMIC_GET.
◆ ThresholdInit()
| void ThresholdInit | ( | void | ) |
Definition at line 128 of file detect-engine-threshold.c.
References SC_ATOMIC_INIT.
◆ ThresholdRegisterGlobalCounters()
| void ThresholdRegisterGlobalCounters | ( | void | ) |
Definition at line 136 of file detect-engine-threshold.c.
References StatsRegisterGlobalCounter().
Referenced by PreRunInit().
◆ ThresholdsExpire()
| uint32_t ThresholdsExpire | ( | const SCTime_t | ts | ) |
Definition at line 380 of file detect-engine-threshold.c.
References ctx, Thresholds::thash, THashExpire(), and ts.
Variable Documentation
◆ ctx
| struct Thresholds ctx |
Referenced by AppLayerParserRegisterUnittests(), AppLayerParserStateProtoCleanup(), CreateEveThreadCtx(), DetectBsizeMatch(), DetectBytejumpDoMatch(), DetectBytetestDoMatch(), DetectEngineContentInspection(), DetectEngineContentInspectionBuffer(), DetectEntropyDoMatch(), DetectFlowbitMatch(), DetectFlowintMatch(), DetectFlowMatch(), DetectFlowvarMatch(), EngineAnalysisRules2(), FirewallAnalyzer(), FreeEveThreadCtx(), LogFileRegisterForFlush(), LogFileUnregisterForFlush(), OutputJsonBuilderBuffer(), SCACDestroyCtx(), SCACPreparePatterns(), SCACPrintInfo(), SCACSearch(), SCACTilePreparePatterns(), SCACTilePrintInfo(), SCACTileSearchLarge(), SCDetectHelperKeywordRegister(), SCLuaSbGetContext(), SCProfilingKeywordThreadSetup(), SCProfilingPrefilterThreadSetup(), SCProfilingSghThreadSetup(), SpmDestroyCtx(), SpmScan(), THashCleanup(), THashConsolidateMemcap(), THashExpire(), THashInit(), THashWalk(), ThresholdsExpire(), TmqhOutputFlowFreeCtx(), TmqhOutputFlowHash(), TmqhOutputFlowIPPair(), and TmqhOutputFlowSetupCtx().
