65 static FILE *g_ut_threshold_fp = NULL;
69 #define DETECT_BASE_REGEX "^\\s*(event_filter|threshold|rate_filter|suppress)\\s*gen_id\\s*(\\d+)\\s*,\\s*sig_id\\s*(\\d+)\\s*(.*)\\s*$"
71 #define DETECT_THRESHOLD_REGEX \
72 "^,\\s*type\\s*(limit|both|threshold)\\s*,\\s*track\\s*(by_dst|by_src|by_both|by_rule)\\s*," \
73 "\\s*count\\s*(\\d+)\\s*,\\s*seconds\\s*(\\d+)\\s*$"
76 #define DETECT_RATE_REGEX "^,\\s*track\\s*(by_dst|by_src|by_both|by_rule)\\s*,\\s*count\\s*(\\d+)\\s*,\\s*seconds\\s*(\\d+)\\s*,\\s*new_action\\s*(alert|drop|pass|log|sdrop|reject)\\s*,\\s*timeout\\s*(\\d+)\\s*$"
84 #define DETECT_SUPPRESS_REGEX "^,\\s*track\\s*(by_dst|by_src|by_either)\\s*,\\s*ip\\s*([\\[\\],\\$\\s\\da-zA-Z.:/_]+)*\\s*$"
87 #if defined OS_WIN32 || defined __CYGWIN__
88 #define THRESHOLD_CONF_DEF_CONF_FILEPATH CONFIG_DIR "\\\\threshold.config"
90 #define THRESHOLD_CONF_DEF_CONF_FILEPATH CONFIG_DIR "/threshold.config"
93 static pcre2_code *regex_base = NULL;
94 static pcre2_match_data *regex_base_match = NULL;
96 static pcre2_code *regex_threshold = NULL;
97 static pcre2_match_data *regex_threshold_match = NULL;
99 static pcre2_code *regex_rate = NULL;
100 static pcre2_match_data *regex_rate_match = NULL;
102 static pcre2_code *regex_suppress = NULL;
103 static pcre2_match_data *regex_suppress_match = NULL;
112 PCRE2_UCHAR errbuffer[256];
114 regex_base = pcre2_compile(
116 if (regex_base == NULL) {
117 pcre2_get_error_message(en, errbuffer,
sizeof(errbuffer));
118 FatalError(
"pcre2 compile of \"%s\" failed at "
122 regex_base_match = pcre2_match_data_create_from_pattern(regex_base, NULL);
124 regex_threshold = pcre2_compile(
126 if (regex_threshold == NULL) {
127 pcre2_get_error_message(en, errbuffer,
sizeof(errbuffer));
128 FatalError(
"pcre2 compile of \"%s\" failed at "
132 regex_threshold_match = pcre2_match_data_create_from_pattern(regex_threshold, NULL);
134 regex_rate = pcre2_compile(
136 if (regex_rate == NULL) {
137 pcre2_get_error_message(en, errbuffer,
sizeof(errbuffer));
138 FatalError(
"pcre2 compile of \"%s\" failed at "
142 regex_rate_match = pcre2_match_data_create_from_pattern(regex_rate, NULL);
144 regex_suppress = pcre2_compile(
146 if (regex_suppress == NULL) {
147 pcre2_get_error_message(en, errbuffer,
sizeof(errbuffer));
148 FatalError(
"pcre2 compile of \"%s\" failed at "
152 regex_suppress_match = pcre2_match_data_create_from_pattern(regex_suppress, NULL);
157 if (regex_base != NULL) {
158 pcre2_code_free(regex_base);
161 if (regex_base_match != NULL) {
162 pcre2_match_data_free(regex_base_match);
163 regex_base_match = NULL;
166 if (regex_threshold != NULL) {
167 pcre2_code_free(regex_threshold);
168 regex_threshold = NULL;
170 if (regex_threshold_match != NULL) {
171 pcre2_match_data_free(regex_threshold_match);
172 regex_threshold_match = NULL;
175 if (regex_rate != NULL) {
176 pcre2_code_free(regex_rate);
179 if (regex_rate_match != NULL) {
180 pcre2_match_data_free(regex_rate_match);
181 regex_rate_match = NULL;
184 if (regex_suppress != NULL) {
185 pcre2_code_free(regex_suppress);
186 regex_suppress = NULL;
188 if (regex_suppress_match != NULL) {
189 pcre2_match_data_free(regex_suppress_match);
190 regex_suppress_match = NULL;
205 const char *log_filename = NULL;
208 char config_value[256];
209 snprintf(config_value,
sizeof(config_value),
214 if (
ConfGet(config_value, &log_filename) != 1) {
215 if (
ConfGet(
"threshold-file", &log_filename) != 1) {
220 if (
ConfGet(
"threshold-file", &log_filename) != 1) {
243 const char *filename = NULL;
248 FILE *fd = g_ut_threshold_fp;
251 filename = SCThresholdConfGetConfFilename(
de_ctx);
252 if ( (fd = fopen(filename,
"r")) == NULL) {
253 SCLogWarning(
"Error opening file: \"%s\": %s", filename, strerror(errno));
261 SCLogWarning(
"Error loading threshold configuration from %s", filename);
268 SCThresholdConfDeInitContext(
de_ctx, fd);
271 g_ut_threshold_fp = NULL;
273 SCLogDebug(
"Global thresholding options defined");
277 SCThresholdConfDeInitContext(
de_ctx, fd);
301 uint8_t parsed_type, uint8_t parsed_track, uint32_t parsed_count,
302 uint32_t parsed_seconds, uint32_t parsed_timeout, uint8_t parsed_new_action,
318 orig_de->
track = parsed_track;
319 orig_de->
count = parsed_count;
320 orig_de->
seconds = parsed_seconds;
322 orig_de->
timeout = parsed_timeout;
331 if (
id == 0 && gid == 0) {
355 sm->
ctx = (
void *)
de;
358 }
else if (
id == 0 && gid > 0) {
360 SCLogWarning(
"suppressing all rules with gid %" PRIu32, gid);
384 sm->
ctx = (
void *)
de;
388 }
else if (
id > 0 && gid == 0) {
389 SCLogError(
"Can't use a event config that has "
390 "sid > 0 and gid == 0. Please fix this "
391 "in your threshold.config file");
397 "%" PRIu32
", gid %" PRIu32
": unknown rule",
416 sm->
ctx = (
void *)
de;
423 if (orig_de != NULL) {
429 if (orig_de != NULL) {
446 uint8_t parsed_type, uint8_t parsed_track, uint32_t parsed_count,
447 uint32_t parsed_seconds, uint32_t parsed_timeout, uint8_t parsed_new_action,
457 if (
id == 0 && gid == 0) {
463 "an event var set. The signature event var is "
464 "given precedence over the threshold.conf one. "
465 "We'll change this in the future though.",
474 "an event var set. The signature event var is "
475 "given precedence over the threshold.conf one. "
476 "We'll change this in the future though.",
486 de->type = parsed_type;
487 de->track = parsed_track;
488 de->count = parsed_count;
489 de->seconds = parsed_seconds;
490 de->new_action = parsed_new_action;
491 de->timeout = parsed_timeout;
503 sm->
ctx = (
void *)
de;
508 }
else if (
id == 0 && gid > 0) {
515 "an event var set. The signature event var is "
516 "given precedence over the threshold.conf one. "
517 "We'll change this in the future though.",
527 de->type = parsed_type;
528 de->track = parsed_track;
529 de->count = parsed_count;
530 de->seconds = parsed_seconds;
531 de->new_action = parsed_new_action;
532 de->timeout = parsed_timeout;
544 sm->
ctx = (
void *)
de;
549 }
else if (
id > 0 && gid == 0) {
550 SCLogError(
"Can't use a event config that has "
551 "sid > 0 and gid == 0. Please fix this "
552 "in your threshold.conf file");
557 "%" PRIu32
", gid %" PRIu32
": unknown rule",
567 "a threshold set. The signature event var is "
568 "given precedence over the threshold.conf one. "
578 "a detection_filter set. The signature event var is "
579 "given precedence over the threshold.conf one. "
601 de->type = parsed_type;
602 de->track = parsed_track;
603 de->count = parsed_count;
604 de->seconds = parsed_seconds;
605 de->new_action = parsed_new_action;
606 de->timeout = parsed_timeout;
618 sm->
ctx = (
void *)
de;
634 uint32_t *ret_gid, uint8_t *ret_parsed_type, uint8_t *ret_parsed_track,
635 uint32_t *ret_parsed_count, uint32_t *ret_parsed_seconds, uint32_t *ret_parsed_timeout,
636 uint8_t *ret_parsed_new_action,
char **ret_th_ip)
638 char th_rule_type[32];
641 const char *rule_extend = NULL;
642 char th_type[16] =
"";
643 char th_track[16] =
"";
644 char th_count[16] =
"";
645 char th_seconds[16] =
"";
646 char th_new_action[16] =
"";
647 char th_timeout[16] =
"";
648 const char *th_ip = NULL;
650 uint8_t parsed_type = 0;
651 uint8_t parsed_track = 0;
652 uint8_t parsed_new_action = 0;
653 uint32_t parsed_count = 0;
654 uint32_t parsed_seconds = 0;
655 uint32_t parsed_timeout = 0;
658 uint32_t
id = 0, gid = 0;
665 regex_base, (PCRE2_SPTR8)rawstr, strlen(rawstr), 0, 0, regex_base_match, NULL);
667 SCLogError(
"pcre2_match parse error, ret %" PRId32
", string %s", ret, rawstr);
672 size_t copylen =
sizeof(th_rule_type);
673 ret = pcre2_substring_copy_bynumber(
674 regex_base_match, 1, (PCRE2_UCHAR8 *)th_rule_type, ©len);
676 SCLogError(
"pcre2_substring_copy_bynumber failed");
681 copylen =
sizeof(th_gid);
682 ret = pcre2_substring_copy_bynumber(regex_base_match, 2, (PCRE2_UCHAR8 *)th_gid, ©len);
684 SCLogError(
"pcre2_substring_copy_bynumber failed");
688 copylen =
sizeof(th_sid);
689 ret = pcre2_substring_copy_bynumber(regex_base_match, 3, (PCRE2_UCHAR8 *)th_sid, ©len);
691 SCLogError(
"pcre2_substring_copy_bynumber failed");
696 ret = pcre2_substring_get_bynumber(
697 regex_base_match, 4, (PCRE2_UCHAR8 **)&rule_extend, ©len);
699 SCLogError(
"pcre2_substring_get_bynumber failed");
704 if (strcasecmp(th_rule_type,
"event_filter") == 0) {
706 }
else if (strcasecmp(th_rule_type,
"threshold") == 0) {
708 }
else if (strcasecmp(th_rule_type,
"rate_filter") == 0) {
710 }
else if (strcasecmp(th_rule_type,
"suppress") == 0) {
713 SCLogError(
"rule type %s is unknown", th_rule_type);
721 if (strlen(rule_extend) > 0) {
722 ret = pcre2_match(regex_threshold, (PCRE2_SPTR8)rule_extend, strlen(rule_extend), 0,
723 0, regex_threshold_match, NULL);
725 SCLogError(
"pcre2_match parse error, ret %" PRId32
", string %s", ret,
730 copylen =
sizeof(th_type);
731 ret = pcre2_substring_copy_bynumber(
732 regex_threshold_match, 1, (PCRE2_UCHAR8 *)th_type, ©len);
734 SCLogError(
"pcre2_substring_copy_bynumber failed");
738 copylen =
sizeof(th_track);
739 ret = pcre2_substring_copy_bynumber(
740 regex_threshold_match, 2, (PCRE2_UCHAR8 *)th_track, ©len);
742 SCLogError(
"pcre2_substring_copy_bynumber failed");
746 copylen =
sizeof(th_count);
747 ret = pcre2_substring_copy_bynumber(
748 regex_threshold_match, 3, (PCRE2_UCHAR8 *)th_count, ©len);
750 SCLogError(
"pcre2_substring_copy_bynumber failed");
754 copylen =
sizeof(th_seconds);
755 ret = pcre2_substring_copy_bynumber(
756 regex_threshold_match, 4, (PCRE2_UCHAR8 *)th_seconds, ©len);
758 SCLogError(
"pcre2_substring_copy_bynumber failed");
762 if (strcasecmp(th_type,
"limit") == 0)
764 else if (strcasecmp(th_type,
"both") == 0)
766 else if (strcasecmp(th_type,
"threshold") == 0)
769 SCLogError(
"limit type not supported: %s", th_type);
778 if (strlen(rule_extend) > 0) {
779 ret = pcre2_match(regex_suppress, (PCRE2_SPTR8)rule_extend, strlen(rule_extend), 0,
780 0, regex_suppress_match, NULL);
782 SCLogError(
"pcre2_match parse error, ret %" PRId32
", string %s", ret,
787 copylen =
sizeof(th_seconds);
788 ret = pcre2_substring_copy_bynumber(
789 regex_suppress_match, 1, (PCRE2_UCHAR8 *)th_track, ©len);
791 SCLogError(
"pcre2_substring_copy_bynumber failed");
795 ret = pcre2_substring_get_bynumber(
796 regex_suppress_match, 2, (PCRE2_UCHAR8 **)&th_ip, ©len);
798 SCLogError(
"pcre2_substring_get_bynumber failed");
807 if (strlen(rule_extend) > 0) {
808 ret = pcre2_match(regex_rate, (PCRE2_SPTR8)rule_extend, strlen(rule_extend), 0, 0,
809 regex_rate_match, NULL);
811 SCLogError(
"pcre2_match parse error, ret %" PRId32
", string %s", ret,
816 copylen =
sizeof(th_track);
817 ret = pcre2_substring_copy_bynumber(
818 regex_rate_match, 1, (PCRE2_UCHAR8 *)th_track, ©len);
820 SCLogError(
"pcre2_substring_copy_bynumber failed");
824 copylen =
sizeof(th_count);
825 ret = pcre2_substring_copy_bynumber(
826 regex_rate_match, 2, (PCRE2_UCHAR8 *)th_count, ©len);
828 SCLogError(
"pcre2_substring_copy_bynumber failed");
832 copylen =
sizeof(th_seconds);
833 ret = pcre2_substring_copy_bynumber(
834 regex_rate_match, 3, (PCRE2_UCHAR8 *)th_seconds, ©len);
836 SCLogError(
"pcre2_substring_copy_bynumber failed");
840 copylen =
sizeof(th_new_action);
841 ret = pcre2_substring_copy_bynumber(
842 regex_rate_match, 4, (PCRE2_UCHAR8 *)th_new_action, ©len);
844 SCLogError(
"pcre2_substring_copy_bynumber failed");
848 copylen =
sizeof(th_timeout);
849 ret = pcre2_substring_copy_bynumber(
850 regex_rate_match, 5, (PCRE2_UCHAR8 *)th_timeout, ©len);
852 SCLogError(
"pcre2_substring_copy_bynumber failed");
858 if (
StringParseUint32(&parsed_timeout, 10,
sizeof(th_timeout), th_timeout) <= 0) {
863 if (strcasecmp(th_new_action,
"alert") == 0)
865 if (strcasecmp(th_new_action,
"drop") == 0)
867 if (strcasecmp(th_new_action,
"pass") == 0)
869 if (strcasecmp(th_new_action,
"reject") == 0)
871 if (strcasecmp(th_new_action,
"log") == 0) {
872 SCLogInfo(
"log action for rate_filter not supported yet");
875 if (strcasecmp(th_new_action,
"sdrop") == 0) {
876 SCLogInfo(
"sdrop action for rate_filter not supported yet");
892 if (strcasecmp(th_track,
"by_dst") == 0)
894 else if (strcasecmp(th_track,
"by_src") == 0)
896 else if (strcasecmp(th_track,
"by_both") == 0) {
899 else if (strcasecmp(th_track,
"by_rule") == 0)
902 SCLogError(
"Invalid track parameter %s in %s", th_track, rawstr);
909 if (parsed_count == 0) {
910 SCLogError(
"rate filter count should be > 0");
914 if (
StringParseUint32(&parsed_seconds, 10,
sizeof(th_seconds), th_seconds) <= 0) {
921 if (strcmp(
"", th_track) != 0) {
922 if (strcasecmp(th_track,
"by_dst") == 0)
924 else if (strcasecmp(th_track,
"by_src") == 0)
926 else if (strcasecmp(th_track,
"by_either") == 0) {
930 SCLogError(
"Invalid track parameter %s in %s", th_track, rule_extend);
947 *ret_parsed_type = parsed_type;
948 *ret_parsed_track = parsed_track;
949 *ret_parsed_new_action = parsed_new_action;
950 *ret_parsed_count = parsed_count;
951 *ret_parsed_seconds = parsed_seconds;
952 *ret_parsed_timeout = parsed_timeout;
955 *ret_th_ip = (
char *)th_ip;
957 pcre2_substring_free((PCRE2_UCHAR8 *)rule_extend);
961 if (rule_extend != NULL) {
962 pcre2_substring_free((PCRE2_UCHAR8 *)rule_extend);
965 pcre2_substring_free((PCRE2_UCHAR8 *)th_ip);
982 uint8_t parsed_type = 0;
983 uint8_t parsed_track = 0;
984 uint8_t parsed_new_action = 0;
985 uint32_t parsed_count = 0;
986 uint32_t parsed_seconds = 0;
987 uint32_t parsed_timeout = 0;
989 uint32_t
id = 0, gid = 0;
992 r = ParseThresholdRule(
de_ctx, rawstr, &
id, &gid, &parsed_type, &parsed_track,
993 &parsed_count, &parsed_seconds, &parsed_timeout, &parsed_new_action,
999 r = SetupSuppressRule(
de_ctx,
id, gid, parsed_type, parsed_track,
1000 parsed_count, parsed_seconds, parsed_timeout, parsed_new_action,
1003 r = SetupThresholdRule(
de_ctx,
id, gid, parsed_type, parsed_track,
1004 parsed_count, parsed_seconds, parsed_timeout, parsed_new_action,
1011 pcre2_substring_free((PCRE2_UCHAR8 *)th_ip);
1015 pcre2_substring_free((PCRE2_UCHAR8 *)th_ip);
1031 static int SCThresholdConfIsLineBlankOrComment(
char *line)
1033 while (*line !=
'\0') {
1039 if (!isspace((
unsigned char)*line))
1057 static int SCThresholdConfLineIsMultiline(
char *line)
1061 int len = strlen(line);
1063 while (line < rline +
len && *line !=
'\n') {
1066 flag = line - rline;
1068 if (!isspace((
unsigned char)*line))
1086 char line[8192] =
"";
1095 while (fgets(line + esc_pos, (
int)
sizeof(line) - esc_pos, fp) != NULL) {
1096 if (SCThresholdConfIsLineBlankOrComment(line)) {
1100 esc_pos = SCThresholdConfLineIsMultiline(line);
1102 if (SCThresholdConfAddThresholdtype(line,
de_ctx) < 0) {
1106 SCLogDebug(
"Adding threshold.config rule num %" PRIu32
"( %s )", rule_num, line);
1112 SCLogInfo(
"Threshold config parsed: %d rule(s) found", rule_num);
1127 static FILE *SCThresholdConfGenerateValidDummyFD01(
void)
1130 const char *buffer =
1131 "event_filter gen_id 1, sig_id 10, type limit, track by_src, count 1, seconds 60\n"
1132 "threshold gen_id 1, sig_id 100, type both, track by_dst, count 10, seconds 60\n"
1133 "event_filter gen_id 1, sig_id 1000, type threshold, track by_src, count 100, seconds 60\n";
1135 fd =
SCFmemopen((
void *)buffer, strlen(buffer),
"r");
1137 SCLogDebug(
"Error with SCFmemopen() called by Threshold Config test code");
1148 static FILE *SCThresholdConfGenerateInValidDummyFD02(
void)
1151 const char *buffer =
1152 "event_filter gen_id 1, sig_id 1000, type invalid, track by_src, count 100, seconds 60\n";
1154 fd =
SCFmemopen((
void *)buffer, strlen(buffer),
"r");
1156 SCLogDebug(
"Error with SCFmemopen() called by Threshold Config test code");
1166 static FILE *SCThresholdConfGenerateValidDummyFD03(
void)
1169 const char *buffer =
1170 "event_filter gen_id 0, sig_id 0, type threshold, track by_src, count 100, seconds 60\n";
1172 fd =
SCFmemopen((
void *)buffer, strlen(buffer),
"r");
1174 SCLogDebug(
"Error with SCFmemopen() called by Threshold Config test code");
1185 static FILE *SCThresholdConfGenerateValidDummyFD04(
void)
1188 const char *buffer =
1189 "event_filter gen_id 1 \\\n, sig_id 10, type limit, track by_src, \\\ncount 1, seconds 60\n"
1190 "threshold gen_id 1, \\\nsig_id 100, type both\\\n, track by_dst, count 10, \\\n seconds 60\n"
1191 "event_filter gen_id 1, sig_id 1000, \\\ntype threshold, track \\\nby_src, count 100, seconds 60\n";
1193 fd =
SCFmemopen((
void *)buffer, strlen(buffer),
"r");
1195 SCLogDebug(
"Error with SCFmemopen() called by Threshold Config test code");
1205 static FILE *SCThresholdConfGenerateValidDummyFD05(
void)
1208 const char *buffer =
1209 "rate_filter gen_id 1, sig_id 10, track by_src, count 1, seconds 60, new_action drop, timeout 10\n"
1210 "rate_filter gen_id 1, sig_id 100, track by_dst, count 10, seconds 60, new_action pass, timeout 5\n"
1211 "rate_filter gen_id 1, sig_id 1000, track by_rule, count 100, seconds 60, new_action alert, timeout 30\n"
1212 "rate_filter gen_id 1, sig_id 10000, track by_both, count 1000, seconds 60, new_action reject, timeout 21\n";
1214 fd =
SCFmemopen((
void *)buffer, strlen(buffer),
"r");
1216 SCLogDebug(
"Error with SCFmemopen() called by Threshold Config test code");
1227 static FILE *SCThresholdConfGenerateValidDummyFD06(
void)
1230 const char *buffer =
1231 "rate_filter \\\ngen_id 1, sig_id 10, track by_src, count 1, seconds 60\\\n, new_action drop, timeout 10\n"
1232 "rate_filter gen_id 1, \\\nsig_id 100, track by_dst, \\\ncount 10, seconds 60, new_action pass, timeout 5\n"
1233 "rate_filter gen_id 1, sig_id 1000, \\\ntrack by_rule, count 100, seconds 60, new_action alert, timeout 30\n"
1234 "rate_filter gen_id 1, sig_id 10000, track by_both, count 1000, \\\nseconds 60, new_action reject, timeout 21\n";
1236 fd =
SCFmemopen((
void *)buffer, strlen(buffer),
"r");
1238 SCLogDebug(
"Error with SCFmemopen() called by Threshold Config test code");
1249 static FILE *SCThresholdConfGenerateValidDummyFD07(
void)
1252 const char *buffer =
1253 "rate_filter gen_id 1, sig_id 10, track by_src, count 3, seconds 3, new_action drop, timeout 10\n"
1254 "rate_filter gen_id 1, sig_id 11, track by_src, count 3, seconds 1, new_action drop, timeout 5\n";
1256 fd =
SCFmemopen((
void *)buffer, strlen(buffer),
"r");
1258 SCLogDebug(
"Error with SCFmemopen() called by Threshold Config test code");
1268 static FILE *SCThresholdConfGenerateValidDummyFD08(
void)
1271 const char *buffer =
1272 "rate_filter gen_id 1, sig_id 10, track by_rule, count 3, seconds 3, new_action drop, timeout 10\n";
1274 fd =
SCFmemopen((
void *)buffer, strlen(buffer),
"r");
1276 SCLogDebug(
"Error with SCFmemopen() called by Threshold Config test code");
1287 static FILE *SCThresholdConfGenerateValidDummyFD09(
void)
1290 const char *buffer =
1291 "event_filter gen_id 1 \\\n, sig_id 10, type limit, track by_src, \\\ncount 2, seconds 60\n"
1292 "threshold gen_id 1, \\\nsig_id 11, type threshold\\\n, track by_dst, count 3, \\\n seconds 60\n"
1293 "event_filter gen_id 1, sig_id 12, \\\ntype both, track \\\nby_src, count 2, seconds 60\n";
1295 fd =
SCFmemopen((
void *)buffer, strlen(buffer),
"r");
1297 SCLogDebug(
"Error with SCFmemopen() called by Threshold Config test code");
1308 static FILE *SCThresholdConfGenerateValidDummyFD10(
void)
1311 const char *buffer =
1312 "event_filter gen_id 1 \\\n, sig_id 10, type limit, track by_src, \\\ncount 5, seconds 2\n"
1313 "threshold gen_id 1, \\\nsig_id 11, type threshold\\\n, track by_dst, count 5, \\\n seconds 2\n"
1314 "event_filter gen_id 1, sig_id 12, \\\ntype both, track \\\nby_src, count 5, seconds 2\n";
1316 fd =
SCFmemopen((
void *)buffer, strlen(buffer),
"r");
1318 SCLogDebug(
"Error with SCFmemopen() called by Threshold Config test code");
1328 static FILE *SCThresholdConfGenerateValidDummyFD11(
void)
1331 const char *buffer =
1332 "suppress gen_id 1, sig_id 10000\n"
1333 "suppress gen_id 1, sig_id 1000, track by_src, ip 192.168.1.1\n";
1335 fd =
SCFmemopen((
void *)buffer, strlen(buffer),
"r");
1337 SCLogDebug(
"Error with SCFmemopen() called by Threshold Config test code");
1348 static int SCThresholdConfTest01(
void)
1355 "alert tcp any any -> any any (msg:\"Threshold limit\"; gid:1; sid:10;)");
1359 g_ut_threshold_fp = SCThresholdConfGenerateValidDummyFD01();
1381 static int SCThresholdConfTest02(
void)
1388 "alert tcp any any -> any any (msg:\"Threshold limit\"; gid:1; sid:100;)");
1392 g_ut_threshold_fp = SCThresholdConfGenerateValidDummyFD01();
1414 static int SCThresholdConfTest03(
void)
1421 "alert tcp any any -> any any (msg:\"Threshold limit\"; gid:1; sid:1000;)");
1425 g_ut_threshold_fp = SCThresholdConfGenerateValidDummyFD01();
1447 static int SCThresholdConfTest04(
void)
1454 "alert tcp any any -> any any (msg:\"Threshold limit\"; gid:1; sid:1000;)");
1458 g_ut_threshold_fp = SCThresholdConfGenerateInValidDummyFD02();
1476 static int SCThresholdConfTest05(
void)
1483 "alert tcp any any -> any any (msg:\"Threshold limit\"; gid:1; sid:1;)");
1486 "alert tcp any any -> any 80 (msg:\"Threshold limit\"; gid:1; sid:10;)");
1490 "alert tcp any any -> any 80 (msg:\"Threshold limit\"; gid:1; sid:100;)");
1494 g_ut_threshold_fp = SCThresholdConfGenerateValidDummyFD03();
1531 static int SCThresholdConfTest06(
void)
1538 "alert tcp any any -> any any (msg:\"Threshold limit\"; gid:1; sid:10;)");
1542 g_ut_threshold_fp = SCThresholdConfGenerateValidDummyFD04();
1564 static int SCThresholdConfTest07(
void)
1571 "alert tcp any any -> any any (msg:\"Threshold limit\"; gid:1; sid:10;)");
1575 g_ut_threshold_fp = SCThresholdConfGenerateValidDummyFD05();
1598 static int SCThresholdConfTest08(
void)
1605 "alert tcp any any -> any any (msg:\"Threshold limit\"; gid:1; sid:10;)");
1609 g_ut_threshold_fp = SCThresholdConfGenerateValidDummyFD06();
1631 static int SCThresholdConfTest09(
void)
1634 memset(&th_v, 0,
sizeof(th_v));
1648 "alert tcp any any -> any any (msg:\"ratefilter test\"; gid:1; sid:10;)");
1652 g_ut_threshold_fp = SCThresholdConfGenerateValidDummyFD07();
1715 static int SCThresholdConfTest10(
void)
1723 "172.26.0.2",
"172.26.0.11");
1726 "172.26.0.1",
"172.26.0.10");
1730 memset(&th_v, 0,
sizeof(th_v));
1738 "alert tcp any any -> any any (msg:\"ratefilter test\"; gid:1; sid:10;)");
1742 g_ut_threshold_fp = SCThresholdConfGenerateValidDummyFD08();
1805 static int SCThresholdConfTest11(
void)
1813 memset(&th_v, 0,
sizeof(th_v));
1821 "alert tcp any any -> any any (msg:\"event_filter test limit\"; gid:1; sid:10;)");
1824 "alert tcp any any -> any any (msg:\"event_filter test threshold\"; gid:1; sid:11;)");
1827 "alert tcp any any -> any any (msg:\"event_filter test both\"; gid:1; sid:12;)");
1831 g_ut_threshold_fp = SCThresholdConfGenerateValidDummyFD09();
1910 static int SCThresholdConfTest12(
void)
1918 memset(&th_v, 0,
sizeof(th_v));
1926 "alert tcp any any -> any any (msg:\"event_filter test limit\"; gid:1; sid:10;)");
1929 "alert tcp any any -> any any (msg:\"event_filter test threshold\"; gid:1; sid:11;)");
1932 "alert tcp any any -> any any (msg:\"event_filter test both\"; gid:1; sid:12;)");
1936 g_ut_threshold_fp = SCThresholdConfGenerateValidDummyFD10();
2015 static int SCThresholdConfTest13(
void)
2022 "alert tcp any any -> any any (msg:\"Threshold limit\"; gid:1; sid:1000;)");
2026 g_ut_threshold_fp = SCThresholdConfGenerateValidDummyFD11();
2048 static int SCThresholdConfTest14(
void)
2053 "192.168.0.100", 1234, 24);
2056 "192.168.0.100", 1234, 24);
2065 "alert tcp any any -> any any (msg:\"suppress test\"; gid:1; sid:10000;)");
2068 "alert tcp any any -> any any (msg:\"suppress test 2\"; gid:1; sid:10;)");
2071 "alert tcp any any -> any any (msg:\"suppress test 3\"; gid:1; sid:1000;)");
2075 memset(&th_v, 0,
sizeof(th_v));
2078 g_ut_threshold_fp = SCThresholdConfGenerateValidDummyFD11();
2109 static int SCThresholdConfTest15(
void)
2114 "192.168.0.100", 1234, 24);
2118 memset(&th_v, 0,
sizeof(th_v));
2126 "drop tcp any any -> any any (msg:\"suppress test\"; content:\"lalala\"; gid:1; sid:10000;)");
2130 g_ut_threshold_fp = SCThresholdConfGenerateValidDummyFD11();
2157 static int SCThresholdConfTest16(
void)
2162 "192.168.0.100", 1234, 24);
2166 memset(&th_v, 0,
sizeof(th_v));
2174 "drop tcp any any -> any any (msg:\"suppress test\"; gid:1; sid:1000;)");
2178 g_ut_threshold_fp = SCThresholdConfGenerateValidDummyFD11();
2204 static int SCThresholdConfTest17(
void)
2209 "192.168.0.100", 1234, 24);
2213 memset(&th_v, 0,
sizeof(th_v));
2221 "drop tcp 192.168.0.10 any -> 192.168.0.100 any (msg:\"suppress test\"; gid:1; sid:10000;)");
2225 g_ut_threshold_fp = SCThresholdConfGenerateValidDummyFD11();
2251 static FILE *SCThresholdConfGenerateInvalidDummyFD12(
void)
2254 const char *buffer =
2255 "suppress gen_id 1, sig_id 2200029, track by_dst, ip fe80::/16\n"
2256 "suppress gen_id 1, sig_id 2200029, track by_stc, ip fe80::/16\n";
2258 fd =
SCFmemopen((
void *)buffer, strlen(buffer),
"r");
2260 SCLogDebug(
"Error with SCFmemopen() called by Threshold Config test code");
2271 static int SCThresholdConfTest18(
void)
2279 "alert tcp 192.168.0.10 any -> 192.168.0.100 any (msg:\"suppress test\"; gid:1; sid:2200029;)");
2282 g_ut_threshold_fp = SCThresholdConfGenerateInvalidDummyFD12();
2303 static FILE *SCThresholdConfGenerateInvalidDummyFD13(
void)
2306 const char *buffer =
2307 "suppress gen_id 1, sig_id 2200029, track by_stc, ip fe80::/16\n"
2308 "suppress gen_id 1, sig_id 2200029, track by_dst, ip fe80::/16\n";
2310 fd =
SCFmemopen((
void *)buffer, strlen(buffer),
"r");
2312 SCLogDebug(
"Error with SCFmemopen() called by Threshold Config test code");
2323 static int SCThresholdConfTest19(
void)
2330 "alert tcp 192.168.0.10 any -> 192.168.0.100 any (msg:\"suppress test\"; gid:1; sid:2200029;)");
2333 g_ut_threshold_fp = SCThresholdConfGenerateInvalidDummyFD13();
2352 static FILE *SCThresholdConfGenerateValidDummyFD20(
void)
2355 const char *buffer =
2356 "suppress gen_id 1, sig_id 1000, track by_src, ip 2.2.3.4\n"
2357 "suppress gen_id 1, sig_id 1000, track by_src, ip 1.2.3.4\n"
2358 "suppress gen_id 1, sig_id 1000, track by_src, ip 192.168.1.1\n";
2360 fd =
SCFmemopen((
void *)buffer, strlen(buffer),
"r");
2362 SCLogDebug(
"Error with SCFmemopen() called by Threshold Config test code");
2373 static int SCThresholdConfTest20(
void)
2380 "alert tcp any any -> any any (msg:\"Threshold limit\"; content:\"abc\"; sid:1000;)");
2383 g_ut_threshold_fp = SCThresholdConfGenerateValidDummyFD20();
2419 static int SCThresholdConfTest21(
void)
2426 "alert tcp any any -> any any (msg:\"Threshold limit\"; content:\"abc\"; threshold: type limit, track by_dst, count 5, seconds 60; sid:1000;)");
2428 g_ut_threshold_fp = SCThresholdConfGenerateValidDummyFD20();
2462 static FILE *SCThresholdConfGenerateValidDummyFD22(
void)
2465 const char *buffer =
2466 "rate_filter gen_id 1, sig_id 10, track by_both, count 2, seconds 5, new_action drop, timeout 6\n";
2468 fd =
SCFmemopen((
void *)buffer, strlen(buffer),
"r");
2470 SCLogDebug(
"Error with SCFmemopen() called by Threshold Config test code");
2481 static int SCThresholdConfTest22(
void)
2484 memset(&th_v, 0,
sizeof(th_v));
2507 "alert tcp any any -> any any (msg:\"ratefilter by_both test\"; gid:1; sid:10;)");
2511 g_ut_threshold_fp = SCThresholdConfGenerateValidDummyFD22();
2519 p2->
ts = p3->
ts = p1->
ts;
2538 p2->
ts = p3->
ts = p1->
ts;
2549 p2->
ts = p3->
ts = p1->
ts;
2568 p2->
ts = p3->
ts = p1->
ts;
2598 static FILE *SCThresholdConfGenerateValidDummyFD23(
void)
2601 const char *buffer =
2602 "rate_filter gen_id 1, sig_id 10, track by_both, count 1, seconds 5, new_action drop, timeout 6\n";
2604 fd =
SCFmemopen((
void *)buffer, strlen(buffer),
"r");
2606 SCLogDebug(
"Error with SCFmemopen() called by Threshold Config test code");
2618 static int SCThresholdConfTest23(
void)
2621 memset(&th_v, 0,
sizeof(th_v));
2639 "alert tcp any any -> any any (msg:\"ratefilter by_both test\"; gid:1; sid:10;)");
2643 g_ut_threshold_fp = SCThresholdConfGenerateValidDummyFD23();
2690 SCThresholdConfTest09);
2692 SCThresholdConfTest10);
2694 SCThresholdConfTest11);
2696 SCThresholdConfTest12);
2698 UtRegisterTest(
"SCThresholdConfTest14 - suppress", SCThresholdConfTest14);
2700 SCThresholdConfTest15);
2702 SCThresholdConfTest16);
2704 SCThresholdConfTest17);
2707 SCThresholdConfTest18);
2709 SCThresholdConfTest19);
2711 SCThresholdConfTest20);
2713 SCThresholdConfTest21);
2715 SCThresholdConfTest22);
2716 UtRegisterTest(
"SCThresholdConfTest23 - rate_filter by_both opposite",
2717 SCThresholdConfTest23);