This feature is used to reduce the number of logged alerts for noisy rules. This can be tuned to significantly reduce false alarms, and it can also be used to write a newer breed of rules. Thresholding commands limit the number of times a particular event is logged during a specified time interval. More...
Files | |
| file | detect-engine-threshold.c |
| file | detect-threshold.c |
| file | util-threshold-config.c |
Data Structures | |
| struct | Thresholds |
| struct | ThresholdEntry_ |
| struct | ThresholdCacheItem |
| struct | FlowThresholdEntryList_ |
| struct | FlowVarThreshold_ |
Macros | |
| #define | DF_PORT_BITMAP_SIZE (65536u / 8u) |
| #define | DF_PORT_BYTE_IDX(p) ((uint32_t)((p) >> 3)) |
| #define | DF_PORT_BIT_MASK(p) ((uint8_t)(1u << ((p)&7u))) |
| #define | SID 0 |
| #define | GID 1 |
| #define | REV 2 |
| #define | TRACK 3 |
| #define | TENANT 4 |
| #define | TC_ADDRESS 0 |
| #define | TC_SID 1 |
| #define | TC_GID 2 |
| #define | TC_REV 3 |
| #define | TC_TENANT 4 |
Typedefs | |
| typedef struct ThresholdEntry_ | ThresholdEntry |
| typedef struct ThresholdCacheItem | ThresholdCacheItem |
| typedef struct FlowThresholdEntryList_ | FlowThresholdEntryList |
| typedef struct FlowVarThreshold_ | FlowVarThreshold |
Functions | |
| void | ThresholdForceAllocFail (int v) |
| uint64_t | ThresholdGetBitmapMemuse (void) |
| uint64_t | ThresholdGetBitmapAllocFail (void) |
| void | ThresholdInit (void) |
| void | ThresholdRegisterGlobalCounters (void) |
| void | ThresholdDestroy (void) |
| uint32_t | ThresholdsExpire (const SCTime_t ts) |
| RB_HEAD (THRESHOLD_CACHE, ThresholdCacheItem) | |
| RB_PROTOTYPE (THRESHOLD_CACHE, ThresholdCacheItem, rb, ThresholdCacheTreeCompareFunc) | |
| RB_GENERATE (THRESHOLD_CACHE, ThresholdCacheItem, rb, ThresholdCacheTreeCompareFunc) | |
| void | ThresholdCacheThreadFree (void) |
| const DetectThresholdData * | SigGetThresholdTypeIter (const Signature *sig, const SigMatchData **psm, int list) |
| Return next DetectThresholdData for signature. More... | |
| void | FlowThresholdVarFree (void *ptr) |
| int | PacketAlertThreshold (const DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectThresholdData *td, Packet *p, const Signature *s, PacketAlert *pa) |
| Make the threshold logic for signatures. More... | |
Variables | |
| struct Thresholds | ctx |
| thread_local uint64_t | cache_lookup_cnt = 0 |
| thread_local uint64_t | cache_lookup_notinit = 0 |
| thread_local uint64_t | cache_lookup_nosupport = 0 |
| thread_local uint64_t | cache_lookup_miss_expired = 0 |
| thread_local uint64_t | cache_lookup_miss = 0 |
| thread_local uint64_t | cache_lookup_hit = 0 |
| thread_local uint64_t | cache_housekeeping_check = 0 |
| thread_local uint64_t | cache_housekeeping_expired = 0 |
| thread_local struct THRESHOLD_CACHE | threshold_cache_tree |
| thread_local uint64_t | threshold_cache_housekeeping_ts = 0 |
Detailed Description
This feature is used to reduce the number of logged alerts for noisy rules. This can be tuned to significantly reduce false alarms, and it can also be used to write a newer breed of rules. Thresholding commands limit the number of times a particular event is logged during a specified time interval.
Macro Definition Documentation
◆ DF_PORT_BIT_MASK
| #define DF_PORT_BIT_MASK | ( | p | ) | ((uint8_t)(1u << ((p)&7u))) |
Definition at line 91 of file detect-engine-threshold.c.
◆ DF_PORT_BITMAP_SIZE
| #define DF_PORT_BITMAP_SIZE (65536u / 8u) |
Definition at line 89 of file detect-engine-threshold.c.
◆ DF_PORT_BYTE_IDX
| #define DF_PORT_BYTE_IDX | ( | p | ) | ((uint32_t)((p) >> 3)) |
Definition at line 90 of file detect-engine-threshold.c.
◆ GID
| #define GID 1 |
Definition at line 146 of file detect-engine-threshold.c.
◆ REV
| #define REV 2 |
Definition at line 147 of file detect-engine-threshold.c.
◆ SID
| #define SID 0 |
Definition at line 145 of file detect-engine-threshold.c.
◆ TC_ADDRESS
| #define TC_ADDRESS 0 |
Definition at line 383 of file detect-engine-threshold.c.
◆ TC_GID
| #define TC_GID 2 |
Definition at line 385 of file detect-engine-threshold.c.
◆ TC_REV
| #define TC_REV 3 |
Definition at line 386 of file detect-engine-threshold.c.
◆ TC_SID
| #define TC_SID 1 |
Definition at line 384 of file detect-engine-threshold.c.
◆ TC_TENANT
| #define TC_TENANT 4 |
Definition at line 387 of file detect-engine-threshold.c.
◆ TENANT
| #define TENANT 4 |
Definition at line 149 of file detect-engine-threshold.c.
◆ TRACK
| #define TRACK 3 |
Definition at line 148 of file detect-engine-threshold.c.
Typedef Documentation
◆ FlowThresholdEntryList
| typedef struct FlowThresholdEntryList_ FlowThresholdEntryList |
◆ FlowVarThreshold
| typedef struct FlowVarThreshold_ FlowVarThreshold |
struct for storing per flow thresholds. This will be stored in the Flow::flowvar list, so it needs to follow the GenericVar header format.
◆ ThresholdCacheItem
| typedef struct ThresholdCacheItem ThresholdCacheItem |
◆ ThresholdEntry
| typedef struct ThresholdEntry_ ThresholdEntry |
Function Documentation
◆ FlowThresholdVarFree()
| void FlowThresholdVarFree | ( | void * | ptr | ) |
Definition at line 677 of file detect-engine-threshold.c.
Referenced by SCGenericVarFree().
◆ PacketAlertThreshold()
| int PacketAlertThreshold | ( | const DetectEngineCtx * | de_ctx, |
| DetectEngineThreadCtx * | det_ctx, | ||
| const DetectThresholdData * | td, | ||
| Packet * | p, | ||
| const Signature * | s, | ||
| PacketAlert * | pa | ||
| ) |
Make the threshold logic for signatures.
- Parameters
-
de_ctx Detection Context tsh_ptr Threshold element p Packet structure s Signature structure
- Return values
-
2 silent match (no alert but apply actions) 1 alert on this event 0 do not alert on this event
Definition at line 1135 of file detect-engine-threshold.c.
References SCEnter, SCReturnInt, DetectThresholdData_::type, and TYPE_SUPPRESS.
◆ RB_GENERATE()
| RB_GENERATE | ( | THRESHOLD_CACHE | , |
| ThresholdCacheItem | , | ||
| rb | , | ||
| ThresholdCacheTreeCompareFunc | |||
| ) |
◆ RB_HEAD()
| RB_HEAD | ( | THRESHOLD_CACHE | , |
| ThresholdCacheItem | |||
| ) |
◆ RB_PROTOTYPE()
| RB_PROTOTYPE | ( | THRESHOLD_CACHE | , |
| ThresholdCacheItem | , | ||
| rb | , | ||
| ThresholdCacheTreeCompareFunc | |||
| ) |
◆ SigGetThresholdTypeIter()
| const DetectThresholdData* SigGetThresholdTypeIter | ( | const Signature * | sig, |
| const SigMatchData ** | psm, | ||
| int | list | ||
| ) |
Return next DetectThresholdData for signature.
- Parameters
-
sig Signature pointer psm Pointer to a Signature Match pointer list List to return data from
- Return values
-
tsh Return the threshold data from signature or NULL if not found
Definition at line 617 of file detect-engine-threshold.c.
◆ ThresholdCacheThreadFree()
| void ThresholdCacheThreadFree | ( | void | ) |
Definition at line 598 of file detect-engine-threshold.c.
◆ ThresholdDestroy()
| void ThresholdDestroy | ( | void | ) |
Definition at line 139 of file detect-engine-threshold.c.
Referenced by GlobalsDestroy().
◆ ThresholdForceAllocFail()
| void ThresholdForceAllocFail | ( | int | v | ) |
Definition at line 71 of file detect-engine-threshold.c.
◆ ThresholdGetBitmapAllocFail()
| uint64_t ThresholdGetBitmapAllocFail | ( | void | ) |
Definition at line 81 of file detect-engine-threshold.c.
References SC_ATOMIC_GET.
◆ ThresholdGetBitmapMemuse()
| uint64_t ThresholdGetBitmapMemuse | ( | void | ) |
Definition at line 76 of file detect-engine-threshold.c.
References SC_ATOMIC_GET.
◆ ThresholdInit()
| void ThresholdInit | ( | void | ) |
Definition at line 123 of file detect-engine-threshold.c.
References SC_ATOMIC_INIT.
◆ ThresholdRegisterGlobalCounters()
| void ThresholdRegisterGlobalCounters | ( | void | ) |
Definition at line 130 of file detect-engine-threshold.c.
References StatsRegisterGlobalCounter().
Referenced by PreRunInit().
◆ ThresholdsExpire()
| uint32_t ThresholdsExpire | ( | const SCTime_t | ts | ) |
Definition at line 377 of file detect-engine-threshold.c.
References ctx, Thresholds::thash, THashExpire(), and ts.
Variable Documentation
◆ cache_housekeeping_check
| thread_local uint64_t cache_housekeeping_check = 0 |
Definition at line 405 of file detect-engine-threshold.c.
◆ cache_housekeeping_expired
| thread_local uint64_t cache_housekeeping_expired = 0 |
Definition at line 406 of file detect-engine-threshold.c.
◆ cache_lookup_cnt
| thread_local uint64_t cache_lookup_cnt = 0 |
Definition at line 399 of file detect-engine-threshold.c.
◆ cache_lookup_hit
| thread_local uint64_t cache_lookup_hit = 0 |
Definition at line 404 of file detect-engine-threshold.c.
◆ cache_lookup_miss
| thread_local uint64_t cache_lookup_miss = 0 |
Definition at line 403 of file detect-engine-threshold.c.
◆ cache_lookup_miss_expired
| thread_local uint64_t cache_lookup_miss_expired = 0 |
Definition at line 402 of file detect-engine-threshold.c.
◆ cache_lookup_nosupport
| thread_local uint64_t cache_lookup_nosupport = 0 |
Definition at line 401 of file detect-engine-threshold.c.
◆ cache_lookup_notinit
| thread_local uint64_t cache_lookup_notinit = 0 |
Definition at line 400 of file detect-engine-threshold.c.
◆ ctx
| struct Thresholds ctx |
Referenced by AppLayerParserRegisterUnittests(), AppLayerParserStateProtoCleanup(), CreateEveThreadCtx(), DetectBsizeMatch(), DetectBytejumpDoMatch(), DetectBytetestDoMatch(), DetectEngineContentInspection(), DetectEngineContentInspectionBuffer(), DetectEntropyDoMatch(), DetectFlowbitMatch(), DetectFlowintMatch(), DetectFlowMatch(), DetectFlowvarMatch(), EngineAnalysisRules2(), FirewallAnalyzer(), FreeEveThreadCtx(), OutputJsonBuilderBuffer(), OutputJsonFlush(), SCACDestroyCtx(), SCACPreparePatterns(), SCACPrintInfo(), SCACSearch(), SCACTilePreparePatterns(), SCACTilePrintInfo(), SCACTileSearchLarge(), SCDetectHelperKeywordRegister(), SCLuaSbGetContext(), SCProfilingKeywordThreadSetup(), SCProfilingPrefilterThreadSetup(), SCProfilingSghThreadSetup(), SpmDestroyCtx(), SpmScan(), THashCleanup(), THashConsolidateMemcap(), THashExpire(), THashInit(), THashWalk(), ThresholdsExpire(), TmqhOutputFlowFreeCtx(), TmqhOutputFlowHash(), TmqhOutputFlowIPPair(), and TmqhOutputFlowSetupCtx().
◆ threshold_cache_housekeeping_ts
| thread_local uint64_t threshold_cache_housekeeping_ts = 0 |
Definition at line 433 of file detect-engine-threshold.c.
◆ threshold_cache_tree
| thread_local struct THRESHOLD_CACHE threshold_cache_tree |
Definition at line 432 of file detect-engine-threshold.c.
