util-threshold-config.c File Reference
#include "suricata-common.h"#include "host.h"#include "ippair.h"#include "detect.h"#include "detect-engine.h"#include "detect-engine-address.h"#include "detect-engine-threshold.h"#include "detect-threshold.h"#include "detect-parse.h"#include "conf.h"#include "util-threshold-config.h"#include "util-unittest.h"#include "util-unittest-helper.h"#include "util-byte.h"#include "util-time.h"#include "util-error.h"#include "util-debug.h"#include "util-fmemopen.h"
Include dependency graph for util-threshold-config.c:
Go to the source code of this file.
Macros | |
| #define | MAX_SUBSTRINGS 30 |
| #define | DETECT_BASE_REGEX "^\\s*(event_filter|threshold|rate_filter|suppress)\\s*gen_id\\s*(\\d+)\\s*,\\s*sig_id\\s*(\\d+)\\s*(.*)\\s*$" |
| #define | DETECT_THRESHOLD_REGEX "^,\\s*type\\s*(limit|both|threshold)\\s*,\\s*track\\s*(by_dst|by_src)\\s*,\\s*count\\s*(\\d+)\\s*,\\s*seconds\\s*(\\d+)\\s*$" |
| #define | DETECT_RATE_REGEX "^,\\s*track\\s*(by_dst|by_src|by_both|by_rule)\\s*,\\s*count\\s*(\\d+)\\s*,\\s*seconds\\s*(\\d+)\\s*,\\s*new_action\\s*(alert|drop|pass|log|sdrop|reject)\\s*,\\s*timeout\\s*(\\d+)\\s*$" |
| #define | DETECT_SUPPRESS_REGEX "^,\\s*track\\s*(by_dst|by_src|by_either)\\s*,\\s*ip\\s*([\\[\\],\\$\\s\\da-zA-Z.:/_]+)*\\s*$" |
| #define | THRESHOLD_CONF_DEF_CONF_FILEPATH CONFIG_DIR "/threshold.config" |
| enum | ThresholdRuleType { THRESHOLD_TYPE_EVENT_FILTER, THRESHOLD_TYPE_THRESHOLD, THRESHOLD_TYPE_RATE, THRESHOLD_TYPE_SUPPRESS } |
| typedef enum ThresholdRuleType | ThresholdRuleType |
| void | SCThresholdConfGlobalInit (void) |
| void | SCThresholdConfGlobalFree (void) |
| int | SCThresholdConfInitContext (DetectEngineCtx *de_ctx) |
| Inits the context to be used by the Threshold Config parsing API. More... | |
| void | SCThresholdConfParseFile (DetectEngineCtx *de_ctx, FILE *fp) |
| Parses the Threshold Config file. More... | |
| void | SCThresholdConfRegisterTests (void) |
| This function registers unit tests for Classification Config API. More... | |
Detailed Description
- Todo:
- Need to support suppress
Implements Threshold support
Definition in file util-threshold-config.c.
Macro Definition Documentation
◆ DETECT_BASE_REGEX
| #define DETECT_BASE_REGEX "^\\s*(event_filter|threshold|rate_filter|suppress)\\s*gen_id\\s*(\\d+)\\s*,\\s*sig_id\\s*(\\d+)\\s*(.*)\\s*$" |
Definition at line 69 of file util-threshold-config.c.
◆ DETECT_RATE_REGEX
| #define DETECT_RATE_REGEX "^,\\s*track\\s*(by_dst|by_src|by_both|by_rule)\\s*,\\s*count\\s*(\\d+)\\s*,\\s*seconds\\s*(\\d+)\\s*,\\s*new_action\\s*(alert|drop|pass|log|sdrop|reject)\\s*,\\s*timeout\\s*(\\d+)\\s*$" |
Definition at line 74 of file util-threshold-config.c.
◆ DETECT_SUPPRESS_REGEX
| #define DETECT_SUPPRESS_REGEX "^,\\s*track\\s*(by_dst|by_src|by_either)\\s*,\\s*ip\\s*([\\[\\],\\$\\s\\da-zA-Z.:/_]+)*\\s*$" |
Definition at line 82 of file util-threshold-config.c.
◆ DETECT_THRESHOLD_REGEX
| #define DETECT_THRESHOLD_REGEX "^,\\s*type\\s*(limit|both|threshold)\\s*,\\s*track\\s*(by_dst|by_src)\\s*,\\s*count\\s*(\\d+)\\s*,\\s*seconds\\s*(\\d+)\\s*$" |
Definition at line 71 of file util-threshold-config.c.
◆ MAX_SUBSTRINGS
| #define MAX_SUBSTRINGS 30 |
◆ THRESHOLD_CONF_DEF_CONF_FILEPATH
| #define THRESHOLD_CONF_DEF_CONF_FILEPATH CONFIG_DIR "/threshold.config" |
Definition at line 88 of file util-threshold-config.c.
Typedef Documentation
◆ ThresholdRuleType
| typedef enum ThresholdRuleType ThresholdRuleType |
Enumeration Type Documentation
◆ ThresholdRuleType
| enum ThresholdRuleType |
| Enumerator | |
|---|---|
| THRESHOLD_TYPE_EVENT_FILTER | |
| THRESHOLD_TYPE_THRESHOLD | |
| THRESHOLD_TYPE_RATE | |
| THRESHOLD_TYPE_SUPPRESS | |
Definition at line 55 of file util-threshold-config.c.
Function Documentation
◆ SCThresholdConfGlobalFree()
| void SCThresholdConfGlobalFree | ( | void | ) |
Definition at line 152 of file util-threshold-config.c.
◆ SCThresholdConfGlobalInit()
| void SCThresholdConfGlobalInit | ( | void | ) |
Definition at line 104 of file util-threshold-config.c.
Referenced by GlobalsInitPreConfig().
Here is the caller graph for this function:
◆ SCThresholdConfInitContext()
| int SCThresholdConfInitContext | ( | DetectEngineCtx * | de_ctx | ) |
Inits the context to be used by the Threshold Config parsing API.
This function initializes the hash table to be used by the Detection Engine Context to hold the data from the threshold.config file, obtains the file desc to parse the threshold.config file, and inits the regex used to parse the lines from threshold.config file.
- Parameters
-
de_ctx Pointer to the Detection Engine Context.
- Return values
-
0 On success. -1 On failure.
Definition at line 238 of file util-threshold-config.c.
◆ SCThresholdConfParseFile()
| void SCThresholdConfParseFile | ( | DetectEngineCtx * | de_ctx, |
| FILE * | fp | ||
| ) |
Parses the Threshold Config file.
- Parameters
-
de_ctx Pointer to the Detection Engine Context. fd Pointer to file descriptor.
Definition at line 1072 of file util-threshold-config.c.
◆ SCThresholdConfRegisterTests()
| void SCThresholdConfRegisterTests | ( | void | ) |
This function registers unit tests for Classification Config API.
Definition at line 2699 of file util-threshold-config.c.
References UtRegisterTest().
Here is the call graph for this function:
