|
suricata
|
|
suricata
|
#include "suricata-common.h"#include "host.h"#include "ippair.h"#include "detect.h"#include "detect-engine.h"#include "detect-engine-address.h"#include "detect-threshold.h"#include "detect-parse.h"#include "conf.h"#include "util-threshold-config.h"#include "util-unittest.h"#include "util-unittest-helper.h"#include "util-byte.h"#include "util-time.h"#include "util-error.h"#include "util-debug.h"#include "util-fmemopen.h"
Go to the source code of this file.
Macros | |
| #define | MAX_SUBSTRINGS 30 |
| #define | DETECT_BASE_REGEX "^\\s*(event_filter|threshold|rate_filter|suppress)\\s*gen_id\\s*(\\d+)\\s*,\\s*sig_id\\s*(\\d+)\\s*(.*)\\s*$" |
| #define | DETECT_THRESHOLD_REGEX "^,\\s*type\\s*(limit|both|threshold)\\s*,\\s*track\\s*(by_dst|by_src)\\s*,\\s*count\\s*(\\d+)\\s*,\\s*seconds\\s*(\\d+)\\s*$" |
| #define | DETECT_RATE_REGEX "^,\\s*track\\s*(by_dst|by_src|by_both|by_rule)\\s*,\\s*count\\s*(\\d+)\\s*,\\s*seconds\\s*(\\d+)\\s*,\\s*new_action\\s*(alert|drop|pass|log|sdrop|reject)\\s*,\\s*timeout\\s*(\\d+)\\s*$" |
| #define | DETECT_SUPPRESS_REGEX "^,\\s*track\\s*(by_dst|by_src|by_either)\\s*,\\s*ip\\s*([\\[\\],\\$\\s\\da-zA-Z.:/_]+)*\\s*$" |
| #define | THRESHOLD_CONF_DEF_CONF_FILEPATH CONFIG_DIR "/threshold.config" |
| enum | ThresholdRuleType { THRESHOLD_TYPE_EVENT_FILTER, THRESHOLD_TYPE_THRESHOLD, THRESHOLD_TYPE_RATE, THRESHOLD_TYPE_SUPPRESS } |
| typedef enum ThresholdRuleType | ThresholdRuleType |
| void | SCThresholdConfGlobalInit (void) |
| void | SCThresholdConfGlobalFree (void) |
| int | SCThresholdConfInitContext (DetectEngineCtx *de_ctx) |
| Inits the context to be used by the Threshold Config parsing API. More... | |
| void | SCThresholdConfParseFile (DetectEngineCtx *de_ctx, FILE *fp) |
| Parses the Threshold Config file. More... | |
| void | SCThresholdConfRegisterTests (void) |
| This function registers unit tests for Classification Config API. More... | |
Implements Threshold support
Definition in file util-threshold-config.c.
| #define DETECT_BASE_REGEX "^\\s*(event_filter|threshold|rate_filter|suppress)\\s*gen_id\\s*(\\d+)\\s*,\\s*sig_id\\s*(\\d+)\\s*(.*)\\s*$" |
Definition at line 67 of file util-threshold-config.c.
Referenced by SCThresholdConfGlobalInit().
| #define DETECT_RATE_REGEX "^,\\s*track\\s*(by_dst|by_src|by_both|by_rule)\\s*,\\s*count\\s*(\\d+)\\s*,\\s*seconds\\s*(\\d+)\\s*,\\s*new_action\\s*(alert|drop|pass|log|sdrop|reject)\\s*,\\s*timeout\\s*(\\d+)\\s*$" |
Definition at line 72 of file util-threshold-config.c.
Referenced by SCThresholdConfGlobalInit().
| #define DETECT_SUPPRESS_REGEX "^,\\s*track\\s*(by_dst|by_src|by_either)\\s*,\\s*ip\\s*([\\[\\],\\$\\s\\da-zA-Z.:/_]+)*\\s*$" |
Definition at line 80 of file util-threshold-config.c.
Referenced by SCThresholdConfGlobalInit().
| #define DETECT_THRESHOLD_REGEX "^,\\s*type\\s*(limit|both|threshold)\\s*,\\s*track\\s*(by_dst|by_src)\\s*,\\s*count\\s*(\\d+)\\s*,\\s*seconds\\s*(\\d+)\\s*$" |
Definition at line 69 of file util-threshold-config.c.
Referenced by SCThresholdConfGlobalInit().
| #define MAX_SUBSTRINGS 30 |
Referenced by SCThresholdConfInitContext().
| #define THRESHOLD_CONF_DEF_CONF_FILEPATH CONFIG_DIR "/threshold.config" |
Definition at line 86 of file util-threshold-config.c.
Referenced by SCThresholdConfGlobalFree().
| typedef enum ThresholdRuleType ThresholdRuleType |
| enum ThresholdRuleType |
| Enumerator | |
|---|---|
| THRESHOLD_TYPE_EVENT_FILTER | |
| THRESHOLD_TYPE_THRESHOLD | |
| THRESHOLD_TYPE_RATE | |
| THRESHOLD_TYPE_SUPPRESS | |
Definition at line 54 of file util-threshold-config.c.
| void SCThresholdConfGlobalFree | ( | void | ) |
Definition at line 151 of file util-threshold-config.c.
References ConfGet(), DetectEngineCtx_::config_prefix, and THRESHOLD_CONF_DEF_CONF_FILEPATH.
Referenced by GlobalsInitPreConfig().
| void SCThresholdConfGlobalInit | ( | void | ) |
Definition at line 103 of file util-threshold-config.c.
References DETECT_BASE_REGEX, DETECT_RATE_REGEX, DETECT_SUPPRESS_REGEX, DETECT_THRESHOLD_REGEX, FatalError, SC_ERR_PCRE_COMPILE, and SC_ERR_PCRE_STUDY.
Referenced by GlobalsInitPreConfig().
| int SCThresholdConfInitContext | ( | DetectEngineCtx * | de_ctx | ) |
Inits the context to be used by the Threshold Config parsing API.
This function initializes the hash table to be used by the Detection Engine Context to hold the data from the threshold.config file, obtains the file desc to parse the threshold.config file, and inits the regex used to parse the lines from threshold.config file.
| de_ctx | Pointer to the Detection Engine Context. |
| 0 | On success. |
| -1 | On failure. |
Definition at line 237 of file util-threshold-config.c.
References DetectThresholdData_::addrs, BUG_ON, ByteExtractStringUint32(), DetectThresholdData_::count, SigMatch_::ctx, de, DETECT_DETECTION_FILTER, DETECT_SM_LIST_SUPPRESS, DETECT_SM_LIST_THRESHOLD, DETECT_THRESHOLD, DetectAddressHeadCleanup(), DetectAddressParse(), DetectGetLastSMByListId(), Signature_::flags, Signature_::gid, Signature_::id, len, MAX_SUBSTRINGS, DetectThresholdData_::new_action, Signature_::next, SC_ERR_EVENT_ENGINE, SC_ERR_FOPEN, SC_ERR_INVALID_ARGUMENTS, SC_ERR_INVALID_IP_NETBLOCK, SC_ERR_INVALID_VALUE, SC_ERR_MEM_ALLOC, SC_ERR_PCRE_GET_SUBSTRING, SC_ERR_PCRE_MATCH, SCFree, SCLogDebug, SCLogError, SCLogInfo, SCLogWarning, SCMalloc, SCRealloc, SCThresholdConfParseFile(), DetectThresholdData_::seconds, SIG_FLAG_NOALERT, DetectEngineCtx_::sig_list, SigFindSignatureBySidGid(), SigMatchAlloc(), SigMatchAppendSMToList(), SigMatchFree(), SigMatchRemoveSMFromList(), TH_ACTION_ALERT, TH_ACTION_DROP, TH_ACTION_LOG, TH_ACTION_PASS, TH_ACTION_REJECT, TH_ACTION_SDROP, ThresholdCtx_::th_entry, ThresholdCtx_::th_size, THRESHOLD_TYPE_EVENT_FILTER, THRESHOLD_TYPE_RATE, THRESHOLD_TYPE_SUPPRESS, THRESHOLD_TYPE_THRESHOLD, DetectEngineCtx_::ths_ctx, DetectThresholdData_::timeout, DetectThresholdData_::track, TRACK_BOTH, TRACK_DST, TRACK_EITHER, TRACK_RULE, TRACK_SRC, DetectThresholdData_::type, SigMatch_::type, TYPE_BOTH, TYPE_LIMIT, TYPE_RATE, TYPE_SUPPRESS, TYPE_THRESHOLD, and unlikely.
Referenced by SCThresholdConfParseFile(), and SigLoadSignatures().
| void SCThresholdConfParseFile | ( | DetectEngineCtx * | de_ctx, |
| FILE * | fp | ||
| ) |
Parses the Threshold Config file.
| de_ctx | Pointer to the Detection Engine Context. |
| fd | Pointer to file descriptor. |
Definition at line 1102 of file util-threshold-config.c.
References Packet_::action, ACTION_DROP, Packet_::alerts, PacketAlerts_::cnt, DetectThresholdData_::count, SigMatch_::ctx, SigMatchData_::ctx, de, DE_QUIET, DETECT_DETECTION_FILTER, DETECT_SM_LIST_SUPPRESS, DETECT_SM_LIST_THRESHOLD, DETECT_THRESHOLD, DetectEngineAppendSig(), DetectEngineCtxFree(), DetectEngineCtxInit(), DetectEngineThreadCtxDeinit(), DetectEngineThreadCtxInit(), DetectGetLastSMByListId(), FAIL_IF, FAIL_IF_NOT, FAIL_IF_NOT_NULL, FAIL_IF_NULL, DetectEngineCtx_::flags, HOST_QUIET, HostInitConfig(), HostShutdown(), IPPAIR_QUIET, IPPairInitConfig(), IPPairShutdown(), SigMatchData_::is_last, m, Signature_::next, Signature_::num, PACKET_TEST_ACTION, PacketAlertCheck(), PASS, SCFmemopen, SCLogDebug, SCLogInfo, SCThresholdConfInitContext(), DetectThresholdData_::seconds, DetectEngineCtx_::sig_list, SigGroupBuild(), SigMatchSignatures(), Signature_::sm_arrays, ThresholdCtx_::th_entry, DetectEngineCtx_::ths_ctx, TimeGet(), TimeSetIncrementTime(), DetectThresholdData_::track, TRACK_DST, TRACK_SRC, Packet_::ts, DetectThresholdData_::type, TYPE_BOTH, TYPE_LIMIT, TYPE_RATE, TYPE_SUPPRESS, TYPE_THRESHOLD, UTHBuildPacket(), UTHBuildPacketReal(), UTHBuildPacketSrcDst(), and UTHFreePacket().
Referenced by SCThresholdConfInitContext().
| void SCThresholdConfRegisterTests | ( | void | ) |
This function registers unit tests for Classification Config API.
Definition at line 2729 of file util-threshold-config.c.
References UtRegisterTest().
1.8.11