suricata
Thresholding

Files

file  detect-engine-threshold.c
 
file  detect-threshold.c
 
file  util-threshold-config.c
 

Functions

int ThresholdHostStorageId (void)
 
void ThresholdInit (void)
 
int ThresholdHostHasThreshold (Host *host)
 
int ThresholdIPPairHasThreshold (IPPair *pair)
 
const DetectThresholdDataSigGetThresholdTypeIter (const Signature *sig, Packet *p, const SigMatchData **psm, int list)
 Return next DetectThresholdData for signature. More...
 
int ThresholdHostTimeoutCheck (Host *host, struct timeval *tv)
 
int ThresholdIPPairTimeoutCheck (IPPair *pair, struct timeval *tv)
 
int PacketAlertThreshold (DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectThresholdData *td, Packet *p, const Signature *s, PacketAlert *pa)
 Make the threshold logic for signatures. More...
 
void ThresholdHashInit (DetectEngineCtx *de_ctx)
 Init threshold context hash tables. More...
 
void ThresholdContextDestroy (DetectEngineCtx *de_ctx)
 Destroy threshold context hash tables. More...
 
void ThresholdListFree (void *ptr)
 this function will free all the entries of a list DetectTagDataEntry More...
 

Detailed Description

This feature is used to reduce the number of logged alerts for noisy rules. This can be tuned to significantly reduce false alarms, and it can also be used to write a newer breed of rules. Thresholding commands limit the number of times a particular event is logged during a specified time interval.

Function Documentation

int PacketAlertThreshold ( DetectEngineCtx de_ctx,
DetectEngineThreadCtx det_ctx,
const DetectThresholdData td,
Packet p,
const Signature s,
PacketAlert pa 
)

Make the threshold logic for signatures.

Parameters
de_ctxDectection Context
tsh_ptrThreshold element
pPacket structure
sSignature structure
Return values
2silent match (no alert but apply actions)
1alert on this event
0do not alert on this event

Definition at line 662 of file detect-engine-threshold.c.

References Packet_::dst, dst, Signature_::gid, HostGetHostFromHash(), HostRelease(), Signature_::id, IPPairGetIPPairFromHash(), IPPairRelease(), SCEnter, SCMutexLock, SCMutexUnlock, SCReturnInt, Packet_::src, src, ThresholdCtx_::threshold_table_lock, DetectEngineCtx_::ths_ctx, DetectThresholdData_::track, TRACK_BOTH, TRACK_DST, TRACK_RULE, TRACK_SRC, DetectThresholdData_::type, and TYPE_SUPPRESS.

Referenced by PacketAlertGetTag().

Here is the call graph for this function:

Here is the caller graph for this function:

const DetectThresholdData* SigGetThresholdTypeIter ( const Signature sig,
Packet p,
const SigMatchData **  psm,
int  list 
)

Return next DetectThresholdData for signature.

Parameters
sigSignature pointer
pPacket structure
smPointer to a Signature Match pointer
Return values
tshReturn the threshold data from signature or NULL if not found

Definition at line 115 of file detect-engine-threshold.c.

References SigMatchData_::ctx, DETECT_DETECTION_FILTER, DETECT_THRESHOLD, head, SigMatchData_::is_last, DetectThresholdEntry_::next, SCFree, DetectThresholdEntry_::seconds, Signature_::sm_arrays, DetectThresholdEntry_::tv_sec1, and SigMatchData_::type.

Referenced by PacketAlertGetTag().

Here is the caller graph for this function:

void ThresholdContextDestroy ( DetectEngineCtx de_ctx)

Destroy threshold context hash tables.

Parameters
de_ctxDectection Context

Definition at line 722 of file detect-engine-threshold.c.

References SCFree, SCMutexDestroy, ThresholdCtx_::th_entry, ThresholdCtx_::threshold_table_lock, and DetectEngineCtx_::ths_ctx.

Referenced by DetectEngineCtxFree().

Here is the caller graph for this function:

void ThresholdHashInit ( DetectEngineCtx de_ctx)

Init threshold context hash tables.

Parameters
de_ctxDectection Context

Definition at line 707 of file detect-engine-threshold.c.

References SC_ERR_MEM_ALLOC, SCLogError, SCMutexInit, ThresholdCtx_::threshold_table_lock, and DetectEngineCtx_::ths_ctx.

Referenced by DetectEngineInspectBufferGeneric().

Here is the caller graph for this function:

int ThresholdHostHasThreshold ( Host host)

Definition at line 94 of file detect-engine-threshold.c.

References HostGetStorageById().

Referenced by DetectThresholdRegister(), and HostGetActiveCount().

Here is the call graph for this function:

Here is the caller graph for this function:

int ThresholdHostStorageId ( void  )

Definition at line 75 of file detect-engine-threshold.c.

Referenced by DetectThresholdRegister().

Here is the caller graph for this function:

int ThresholdHostTimeoutCheck ( Host host,
struct timeval *  tv 
)

Definition at line 199 of file detect-engine-threshold.c.

References HostGetStorageById(), and HostSetStorageById().

Referenced by HostGetActiveCount().

Here is the call graph for this function:

Here is the caller graph for this function:

void ThresholdInit ( void  )

Definition at line 80 of file detect-engine-threshold.c.

References HostStorageRegister(), IPPairStorageRegister(), SC_ERR_HOST_INIT, SCLogError, and ThresholdListFree().

Referenced by PostRunDeinit().

Here is the call graph for this function:

Here is the caller graph for this function:

int ThresholdIPPairHasThreshold ( IPPair pair)

Definition at line 99 of file detect-engine-threshold.c.

References IPPairGetStorageById().

Referenced by IPPairGetActiveCount().

Here is the call graph for this function:

Here is the caller graph for this function:

void ThresholdListFree ( void *  ptr)

this function will free all the entries of a list DetectTagDataEntry

Parameters
tdpointer to DetectTagDataEntryList

Definition at line 735 of file detect-engine-threshold.c.

References DetectThresholdEntry_::next, and SCFree.

Referenced by ThresholdInit().

Here is the caller graph for this function: