suricata: Thresholding

suricata

This feature is used to reduce the number of logged alerts for noisy rules. This can be tuned to significantly reduce false alarms, and it can also be used to write a newer breed of rules. Thresholding commands limit the number of times a particular event is logged during a specified time interval. More...

Files
file	detect-engine-threshold.c

file	detect-threshold.c

file	util-threshold-config.c

Functions
HostStorageId	ThresholdHostStorageId (void)

void	ThresholdInit (void)

int	ThresholdHostHasThreshold (Host *host)

int	ThresholdIPPairHasThreshold (IPPair *pair)

const DetectThresholdData *	SigGetThresholdTypeIter (const Signature sig, const SigMatchData *psm, int list)
	Return next DetectThresholdData for signature. More...

int	ThresholdHostTimeoutCheck (Host *host, SCTime_t ts)

int	ThresholdIPPairTimeoutCheck (IPPair *pair, SCTime_t ts)

int	PacketAlertThreshold (DetectEngineCtx de_ctx, DetectEngineThreadCtx det_ctx, const DetectThresholdData td, Packet p, const Signature s, PacketAlert pa)
	Make the threshold logic for signatures. More...

void	ThresholdHashInit (DetectEngineCtx *de_ctx)
	Init threshold context hash tables. More...

void	ThresholdHashAllocate (DetectEngineCtx *de_ctx)
	Allocate threshold context hash tables. More...

void	ThresholdContextDestroy (DetectEngineCtx *de_ctx)
	Destroy threshold context hash tables. More...

void	ThresholdListFree (void *ptr)
	this function will free all the entries of a list DetectTagDataEntry More...

Detailed Description

This feature is used to reduce the number of logged alerts for noisy rules. This can be tuned to significantly reduce false alarms, and it can also be used to write a newer breed of rules. Thresholding commands limit the number of times a particular event is logged during a specified time interval.

Function Documentation

◆ PacketAlertThreshold()

int PacketAlertThreshold	(	DetectEngineCtx *	de_ctx,
		DetectEngineThreadCtx *	det_ctx,
		const DetectThresholdData *	td,
		Packet *	p,
		const Signature *	s,
		PacketAlert *	pa
	)

Make the threshold logic for signatures.

Parameters

de_ctx	Detection Context
tsh_ptr	Threshold element
p	Packet structure
s	Signature structure

Return values

2	silent match (no alert but apply actions)
1	alert on this event
0	do not alert on this event

Definition at line 602 of file detect-engine-threshold.c.

References SCEnter, SCReturnInt, DetectThresholdData_::type, and TYPE_SUPPRESS.

◆ SigGetThresholdTypeIter()

const DetectThresholdData* SigGetThresholdTypeIter	(	const Signature *	sig,
		const SigMatchData **	psm,
		int	list
	)

Return next DetectThresholdData for signature.

Parameters

sig	Signature pointer
psm	Pointer to a Signature Match pointer
list	List to return data from

Return values

tsh	Return the threshold data from signature or NULL if not found

Definition at line 112 of file detect-engine-threshold.c.

Referenced by ThresholdHashAllocate().

Here is the caller graph for this function:

◆ ThresholdContextDestroy()

void ThresholdContextDestroy ( DetectEngineCtx * de_ctx )

Destroy threshold context hash tables.

Parameters

de_ctx Detection Context

Definition at line 728 of file detect-engine-threshold.c.

References de_ctx, SCFree, SCMutexDestroy, ThresholdCtx_::th_entry, ThresholdCtx_::th_size, ThresholdCtx_::threshold_table_lock, and DetectEngineCtx_::ths_ctx.

Referenced by DetectEngineCtxFree().

Here is the caller graph for this function:

◆ ThresholdHashAllocate()

void ThresholdHashAllocate ( DetectEngineCtx * de_ctx )

Allocate threshold context hash tables.

Parameters

de_ctx Detection Context

Definition at line 659 of file detect-engine-threshold.c.

References de_ctx, DETECT_SM_LIST_SUPPRESS, DETECT_SM_LIST_THRESHOLD, FatalError, Signature_::next, Signature_::num, SCCalloc, DetectEngineCtx_::sig_list, SigGetThresholdTypeIter(), Signature_::sm_arrays, ThresholdCtx_::th_entry, ThresholdCtx_::th_size, DetectEngineCtx_::ths_ctx, DetectThresholdData_::track, and TRACK_RULE.

Here is the call graph for this function:

◆ ThresholdHashInit()

void ThresholdHashInit ( DetectEngineCtx * de_ctx )

Init threshold context hash tables.

Parameters

de_ctx Detection Context

Definition at line 647 of file detect-engine-threshold.c.

References de_ctx, FatalError, SCMutexInit, ThresholdCtx_::threshold_table_lock, and DetectEngineCtx_::ths_ctx.

◆ ThresholdHostHasThreshold()

int ThresholdHostHasThreshold ( Host * host )

Definition at line 93 of file detect-engine-threshold.c.

References HostGetStorageById().

Here is the call graph for this function:

◆ ThresholdHostStorageId()

HostStorageId ThresholdHostStorageId ( void )

Definition at line 76 of file detect-engine-threshold.c.

◆ ThresholdHostTimeoutCheck()

int ThresholdHostTimeoutCheck	(	Host *	host,
		SCTime_t	ts
	)

Definition at line 192 of file detect-engine-threshold.c.

References head, and HostGetStorageById().

Here is the call graph for this function:

◆ ThresholdInit()

void ThresholdInit ( void )

Definition at line 81 of file detect-engine-threshold.c.

◆ ThresholdIPPairHasThreshold()

int ThresholdIPPairHasThreshold ( IPPair * pair )

Definition at line 98 of file detect-engine-threshold.c.

References IPPairGetStorageById().

Here is the call graph for this function:

◆ ThresholdIPPairTimeoutCheck()

int ThresholdIPPairTimeoutCheck	(	IPPair *	pair,
		SCTime_t	ts
	)

Definition at line 202 of file detect-engine-threshold.c.

References head, and IPPairGetStorageById().

Here is the call graph for this function:

◆ ThresholdListFree()

void ThresholdListFree ( void * ptr )

this function will free all the entries of a list DetectTagDataEntry

Parameters

td	pointer to DetectTagDataEntryList

Definition at line 747 of file detect-engine-threshold.c.

References DetectThresholdEntry_::next, and SCFree.

Generated on Mon Apr 22 2024 23:30:55 for suricata by 1.8.18