63 static FILE *g_ut_threshold_fp = NULL;
67 #define DETECT_BASE_REGEX "^\\s*(event_filter|threshold|rate_filter|suppress)\\s*gen_id\\s*(\\d+)\\s*,\\s*sig_id\\s*(\\d+)\\s*(.*)\\s*$"
69 #define DETECT_THRESHOLD_REGEX \
70 "^,\\s*type\\s*(limit|both|threshold)\\s*,\\s*track\\s*(by_dst|by_src|by_both|by_rule)\\s*," \
71 "\\s*count\\s*(\\d+)\\s*,\\s*seconds\\s*(\\d+)\\s*$"
74 #define DETECT_RATE_REGEX "^,\\s*track\\s*(by_dst|by_src|by_both|by_rule)\\s*,\\s*count\\s*(\\d+)\\s*,\\s*seconds\\s*(\\d+)\\s*,\\s*new_action\\s*(alert|drop|pass|log|sdrop|reject)\\s*,\\s*timeout\\s*(\\d+)\\s*$"
82 #define DETECT_SUPPRESS_REGEX "^,\\s*track\\s*(by_dst|by_src|by_either)\\s*,\\s*ip\\s*([\\[\\],\\$\\s\\da-zA-Z.:/_]+)*\\s*$"
85 #if defined OS_WIN32 || defined __CYGWIN__
86 #define THRESHOLD_CONF_DEF_CONF_FILEPATH CONFIG_DIR "\\\\threshold.config"
88 #define THRESHOLD_CONF_DEF_CONF_FILEPATH CONFIG_DIR "/threshold.config"
101 if (regex_base == NULL) {
102 FatalError(
"classification base regex setup failed");
105 if (regex_threshold == NULL) {
106 FatalError(
"classification threshold regex setup failed");
109 if (regex_rate == NULL) {
110 FatalError(
"classification rate_filter regex setup failed");
113 if (regex_suppress == NULL) {
114 FatalError(
"classification suppress regex setup failed");
129 const char *log_filename = NULL;
132 char config_value[256];
133 snprintf(config_value,
sizeof(config_value),
138 if (
ConfGet(config_value, &log_filename) != 1) {
139 if (
ConfGet(
"threshold-file", &log_filename) != 1) {
144 if (
ConfGet(
"threshold-file", &log_filename) != 1) {
167 const char *filename = NULL;
172 FILE *fd = g_ut_threshold_fp;
175 filename = SCThresholdConfGetConfFilename(
de_ctx);
176 if ( (fd = fopen(filename,
"r")) == NULL) {
177 SCLogWarning(
"Error opening file: \"%s\": %s", filename, strerror(errno));
178 SCThresholdConfDeInitContext(
de_ctx, fd);
186 SCLogWarning(
"Error loading threshold configuration from %s", filename);
187 SCThresholdConfDeInitContext(
de_ctx, fd);
194 SCThresholdConfDeInitContext(
de_ctx, fd);
197 g_ut_threshold_fp = NULL;
199 SCLogDebug(
"Global thresholding options defined");
222 uint8_t parsed_type, uint8_t parsed_track, uint32_t parsed_count,
223 uint32_t parsed_seconds, uint32_t parsed_timeout, uint8_t parsed_new_action,
238 orig_de->
track = parsed_track;
239 orig_de->
count = parsed_count;
240 orig_de->
seconds = parsed_seconds;
242 orig_de->
timeout = parsed_timeout;
251 if (
id == 0 && gid == 0) {
273 }
else if (
id == 0 && gid > 0) {
275 SCLogWarning(
"suppressing all rules with gid %" PRIu32, gid);
297 }
else if (
id > 0 && gid == 0) {
298 SCLogError(
"Can't use a event config that has "
299 "sid > 0 and gid == 0. Please fix this "
300 "in your threshold.config file");
306 "%" PRIu32
", gid %" PRIu32
": unknown rule",
326 if (orig_de != NULL) {
332 if (orig_de != NULL) {
349 uint8_t parsed_type, uint8_t parsed_track, uint32_t parsed_count,
350 uint32_t parsed_seconds, uint32_t parsed_timeout, uint8_t parsed_new_action,
360 if (
id == 0 && gid == 0) {
365 "an event var set. The signature event var is "
366 "given precedence over the threshold.conf one. "
367 "We'll change this in the future though.",
376 "an event var set. The signature event var is "
377 "given precedence over the threshold.conf one. "
378 "We'll change this in the future though.",
387 de->type = parsed_type;
388 de->track = parsed_track;
389 de->count = parsed_count;
390 de->seconds = parsed_seconds;
391 de->new_action = parsed_new_action;
392 de->timeout = parsed_timeout;
404 }
else if (
id == 0 && gid > 0) {
411 "an event var set. The signature event var is "
412 "given precedence over the threshold.conf one. "
413 "We'll change this in the future though.",
422 de->type = parsed_type;
423 de->track = parsed_track;
424 de->count = parsed_count;
425 de->seconds = parsed_seconds;
426 de->new_action = parsed_new_action;
427 de->timeout = parsed_timeout;
439 }
else if (
id > 0 && gid == 0) {
440 SCLogError(
"Can't use a event config that has "
441 "sid > 0 and gid == 0. Please fix this "
442 "in your threshold.conf file");
447 "%" PRIu32
", gid %" PRIu32
": unknown rule",
457 "a threshold set. The signature event var is "
458 "given precedence over the threshold.conf one. "
468 "a detection_filter set. The signature event var is "
469 "given precedence over the threshold.conf one. "
489 de->type = parsed_type;
490 de->track = parsed_track;
491 de->count = parsed_count;
492 de->seconds = parsed_seconds;
493 de->new_action = parsed_new_action;
494 de->timeout = parsed_timeout;
517 uint32_t *ret_gid, uint8_t *ret_parsed_type, uint8_t *ret_parsed_track,
518 uint32_t *ret_parsed_count, uint32_t *ret_parsed_seconds, uint32_t *ret_parsed_timeout,
519 uint8_t *ret_parsed_new_action,
char **ret_th_ip)
521 char th_rule_type[32];
524 const char *rule_extend = NULL;
525 char th_type[16] =
"";
526 char th_track[16] =
"";
527 char th_count[16] =
"";
528 char th_seconds[16] =
"";
529 char th_new_action[16] =
"";
530 char th_timeout[16] =
"";
531 const char *th_ip = NULL;
533 uint8_t parsed_type = 0;
534 uint8_t parsed_track = 0;
535 uint8_t parsed_new_action = 0;
536 uint32_t parsed_count = 0;
537 uint32_t parsed_seconds = 0;
538 uint32_t parsed_timeout = 0;
541 uint32_t
id = 0, gid = 0;
547 pcre2_match_data *regex_base_match = NULL;
550 SCLogError(
"pcre2_match parse error, ret %" PRId32
", string %s", ret, rawstr);
551 pcre2_match_data_free(regex_base_match);
556 size_t copylen =
sizeof(th_rule_type);
557 ret = pcre2_substring_copy_bynumber(
558 regex_base_match, 1, (PCRE2_UCHAR8 *)th_rule_type, ©len);
560 SCLogError(
"pcre2_substring_copy_bynumber failed");
561 pcre2_match_data_free(regex_base_match);
566 copylen =
sizeof(th_gid);
567 ret = pcre2_substring_copy_bynumber(regex_base_match, 2, (PCRE2_UCHAR8 *)th_gid, ©len);
569 SCLogError(
"pcre2_substring_copy_bynumber failed");
570 pcre2_match_data_free(regex_base_match);
574 copylen =
sizeof(th_sid);
575 ret = pcre2_substring_copy_bynumber(regex_base_match, 3, (PCRE2_UCHAR8 *)th_sid, ©len);
577 SCLogError(
"pcre2_substring_copy_bynumber failed");
578 pcre2_match_data_free(regex_base_match);
583 ret = pcre2_substring_get_bynumber(
584 regex_base_match, 4, (PCRE2_UCHAR8 **)&rule_extend, ©len);
586 SCLogError(
"pcre2_substring_get_bynumber failed");
587 pcre2_match_data_free(regex_base_match);
590 pcre2_match_data_free(regex_base_match);
591 regex_base_match = NULL;
594 if (strcasecmp(th_rule_type,
"event_filter") == 0) {
596 }
else if (strcasecmp(th_rule_type,
"threshold") == 0) {
598 }
else if (strcasecmp(th_rule_type,
"rate_filter") == 0) {
600 }
else if (strcasecmp(th_rule_type,
"suppress") == 0) {
603 SCLogError(
"rule type %s is unknown", th_rule_type);
611 if (strlen(rule_extend) > 0) {
612 pcre2_match_data *match = NULL;
616 SCLogError(
"pcre2_match parse error, ret %" PRId32
", string %s", ret,
618 pcre2_match_data_free(match);
622 copylen =
sizeof(th_type);
623 ret = pcre2_substring_copy_bynumber(match, 1, (PCRE2_UCHAR8 *)th_type, ©len);
625 SCLogError(
"pcre2_substring_copy_bynumber failed");
626 pcre2_match_data_free(match);
630 copylen =
sizeof(th_track);
631 ret = pcre2_substring_copy_bynumber(match, 2, (PCRE2_UCHAR8 *)th_track, ©len);
633 SCLogError(
"pcre2_substring_copy_bynumber failed");
634 pcre2_match_data_free(match);
638 copylen =
sizeof(th_count);
639 ret = pcre2_substring_copy_bynumber(match, 3, (PCRE2_UCHAR8 *)th_count, ©len);
641 SCLogError(
"pcre2_substring_copy_bynumber failed");
642 pcre2_match_data_free(match);
646 copylen =
sizeof(th_seconds);
647 ret = pcre2_substring_copy_bynumber(match, 4, (PCRE2_UCHAR8 *)th_seconds, ©len);
649 SCLogError(
"pcre2_substring_copy_bynumber failed");
650 pcre2_match_data_free(match);
653 pcre2_match_data_free(match);
655 if (strcasecmp(th_type,
"limit") == 0)
657 else if (strcasecmp(th_type,
"both") == 0)
659 else if (strcasecmp(th_type,
"threshold") == 0)
662 SCLogError(
"limit type not supported: %s", th_type);
671 if (strlen(rule_extend) > 0) {
672 pcre2_match_data *match = NULL;
675 SCLogError(
"pcre2_match parse error, ret %" PRId32
", string %s", ret,
677 pcre2_match_data_free(match);
681 copylen =
sizeof(th_seconds);
682 ret = pcre2_substring_copy_bynumber(match, 1, (PCRE2_UCHAR8 *)th_track, ©len);
684 SCLogError(
"pcre2_substring_copy_bynumber failed");
685 pcre2_match_data_free(match);
689 ret = pcre2_substring_get_bynumber(match, 2, (PCRE2_UCHAR8 **)&th_ip, ©len);
691 SCLogError(
"pcre2_substring_get_bynumber failed");
692 pcre2_match_data_free(match);
695 pcre2_match_data_free(match);
702 if (strlen(rule_extend) > 0) {
703 pcre2_match_data *match = NULL;
706 SCLogError(
"pcre2_match parse error, ret %" PRId32
", string %s", ret,
708 pcre2_match_data_free(match);
712 copylen =
sizeof(th_track);
713 ret = pcre2_substring_copy_bynumber(match, 1, (PCRE2_UCHAR8 *)th_track, ©len);
715 SCLogError(
"pcre2_substring_copy_bynumber failed");
716 pcre2_match_data_free(match);
720 copylen =
sizeof(th_count);
721 ret = pcre2_substring_copy_bynumber(match, 2, (PCRE2_UCHAR8 *)th_count, ©len);
723 SCLogError(
"pcre2_substring_copy_bynumber failed");
724 pcre2_match_data_free(match);
728 copylen =
sizeof(th_seconds);
729 ret = pcre2_substring_copy_bynumber(match, 3, (PCRE2_UCHAR8 *)th_seconds, ©len);
731 SCLogError(
"pcre2_substring_copy_bynumber failed");
732 pcre2_match_data_free(match);
736 copylen =
sizeof(th_new_action);
737 ret = pcre2_substring_copy_bynumber(
738 match, 4, (PCRE2_UCHAR8 *)th_new_action, ©len);
740 SCLogError(
"pcre2_substring_copy_bynumber failed");
741 pcre2_match_data_free(match);
745 copylen =
sizeof(th_timeout);
746 ret = pcre2_substring_copy_bynumber(match, 5, (PCRE2_UCHAR8 *)th_timeout, ©len);
748 SCLogError(
"pcre2_substring_copy_bynumber failed");
749 pcre2_match_data_free(match);
752 pcre2_match_data_free(match);
756 if (
StringParseUint32(&parsed_timeout, 10,
sizeof(th_timeout), th_timeout) <= 0) {
761 if (strcasecmp(th_new_action,
"alert") == 0)
763 if (strcasecmp(th_new_action,
"drop") == 0)
765 if (strcasecmp(th_new_action,
"pass") == 0)
767 if (strcasecmp(th_new_action,
"reject") == 0)
769 if (strcasecmp(th_new_action,
"log") == 0) {
770 SCLogInfo(
"log action for rate_filter not supported yet");
773 if (strcasecmp(th_new_action,
"sdrop") == 0) {
774 SCLogInfo(
"sdrop action for rate_filter not supported yet");
790 if (strcasecmp(th_track,
"by_dst") == 0)
792 else if (strcasecmp(th_track,
"by_src") == 0)
794 else if (strcasecmp(th_track,
"by_both") == 0) {
797 else if (strcasecmp(th_track,
"by_rule") == 0)
800 SCLogError(
"Invalid track parameter %s in %s", th_track, rawstr);
807 if (parsed_count == 0) {
808 SCLogError(
"rate filter count should be > 0");
812 if (
StringParseUint32(&parsed_seconds, 10,
sizeof(th_seconds), th_seconds) <= 0) {
819 if (strcmp(
"", th_track) != 0) {
820 if (strcasecmp(th_track,
"by_dst") == 0)
822 else if (strcasecmp(th_track,
"by_src") == 0)
824 else if (strcasecmp(th_track,
"by_either") == 0) {
828 SCLogError(
"Invalid track parameter %s in %s", th_track, rule_extend);
845 *ret_parsed_type = parsed_type;
846 *ret_parsed_track = parsed_track;
847 *ret_parsed_new_action = parsed_new_action;
848 *ret_parsed_count = parsed_count;
849 *ret_parsed_seconds = parsed_seconds;
850 *ret_parsed_timeout = parsed_timeout;
853 *ret_th_ip = (
char *)th_ip;
855 pcre2_substring_free((PCRE2_UCHAR8 *)rule_extend);
859 if (rule_extend != NULL) {
860 pcre2_substring_free((PCRE2_UCHAR8 *)rule_extend);
863 pcre2_substring_free((PCRE2_UCHAR8 *)th_ip);
880 uint8_t parsed_type = 0;
881 uint8_t parsed_track = 0;
882 uint8_t parsed_new_action = 0;
883 uint32_t parsed_count = 0;
884 uint32_t parsed_seconds = 0;
885 uint32_t parsed_timeout = 0;
887 uint32_t
id = 0, gid = 0;
889 int r = ParseThresholdRule(
de_ctx, rawstr, &
id, &gid, &parsed_type, &parsed_track,
890 &parsed_count, &parsed_seconds, &parsed_timeout, &parsed_new_action, &th_ip);
895 r = SetupSuppressRule(
de_ctx,
id, gid, parsed_type, parsed_track,
896 parsed_count, parsed_seconds, parsed_timeout, parsed_new_action,
899 r = SetupThresholdRule(
de_ctx,
id, gid, parsed_type, parsed_track,
900 parsed_count, parsed_seconds, parsed_timeout, parsed_new_action,
907 pcre2_substring_free((PCRE2_UCHAR8 *)th_ip);
911 pcre2_substring_free((PCRE2_UCHAR8 *)th_ip);
927 static int SCThresholdConfIsLineBlankOrComment(
char *line)
929 while (*line !=
'\0') {
935 if (!isspace((
unsigned char)*line))
953 static int SCThresholdConfLineIsMultiline(
char *line)
957 int len = strlen(line);
959 while (line < rline +
len && *line !=
'\n') {
964 if (!isspace((
unsigned char)*line))
982 char line[8192] =
"";
991 while (fgets(line + esc_pos, (
int)
sizeof(line) - esc_pos, fp) != NULL) {
992 if (SCThresholdConfIsLineBlankOrComment(line)) {
996 esc_pos = SCThresholdConfLineIsMultiline(line);
998 if (SCThresholdConfAddThresholdtype(line,
de_ctx) < 0) {
1002 SCLogDebug(
"Adding threshold.config rule num %" PRIu32
"( %s )", rule_num, line);
1012 SCLogInfo(
"Threshold config parsed: %d rule(s) found", rule_num);
1026 static FILE *SCThresholdConfGenerateValidDummyFD01(
void)
1029 const char *buffer =
1030 "event_filter gen_id 1, sig_id 10, type limit, track by_src, count 1, seconds 60\n"
1031 "threshold gen_id 1, sig_id 100, type both, track by_dst, count 10, seconds 60\n"
1032 "event_filter gen_id 1, sig_id 1000, type threshold, track by_src, count 100, seconds 60\n";
1034 fd =
SCFmemopen((
void *)buffer, strlen(buffer),
"r");
1036 SCLogDebug(
"Error with SCFmemopen() called by Threshold Config test code");
1047 static FILE *SCThresholdConfGenerateInvalidDummyFD02(
void)
1050 const char *buffer =
1051 "event_filter gen_id 1, sig_id 1000, type invalid, track by_src, count 100, seconds 60\n";
1053 fd =
SCFmemopen((
void *)buffer, strlen(buffer),
"r");
1055 SCLogDebug(
"Error with SCFmemopen() called by Threshold Config test code");
1065 static FILE *SCThresholdConfGenerateValidDummyFD03(
void)
1068 const char *buffer =
1069 "event_filter gen_id 0, sig_id 0, type threshold, track by_src, count 100, seconds 60\n";
1071 fd =
SCFmemopen((
void *)buffer, strlen(buffer),
"r");
1073 SCLogDebug(
"Error with SCFmemopen() called by Threshold Config test code");
1084 static FILE *SCThresholdConfGenerateValidDummyFD04(
void)
1087 const char *buffer =
1088 "event_filter gen_id 1 \\\n, sig_id 10, type limit, track by_src, \\\ncount 1, seconds 60\n"
1089 "threshold gen_id 1, \\\nsig_id 100, type both\\\n, track by_dst, count 10, \\\n seconds 60\n"
1090 "event_filter gen_id 1, sig_id 1000, \\\ntype threshold, track \\\nby_src, count 100, seconds 60\n";
1092 fd =
SCFmemopen((
void *)buffer, strlen(buffer),
"r");
1094 SCLogDebug(
"Error with SCFmemopen() called by Threshold Config test code");
1104 static FILE *SCThresholdConfGenerateValidDummyFD05(
void)
1107 const char *buffer =
1108 "rate_filter gen_id 1, sig_id 10, track by_src, count 1, seconds 60, new_action drop, timeout 10\n"
1109 "rate_filter gen_id 1, sig_id 100, track by_dst, count 10, seconds 60, new_action pass, timeout 5\n"
1110 "rate_filter gen_id 1, sig_id 1000, track by_rule, count 100, seconds 60, new_action alert, timeout 30\n"
1111 "rate_filter gen_id 1, sig_id 10000, track by_both, count 1000, seconds 60, new_action reject, timeout 21\n";
1113 fd =
SCFmemopen((
void *)buffer, strlen(buffer),
"r");
1115 SCLogDebug(
"Error with SCFmemopen() called by Threshold Config test code");
1126 static FILE *SCThresholdConfGenerateValidDummyFD06(
void)
1129 const char *buffer =
1130 "rate_filter \\\ngen_id 1, sig_id 10, track by_src, count 1, seconds 60\\\n, new_action drop, timeout 10\n"
1131 "rate_filter gen_id 1, \\\nsig_id 100, track by_dst, \\\ncount 10, seconds 60, new_action pass, timeout 5\n"
1132 "rate_filter gen_id 1, sig_id 1000, \\\ntrack by_rule, count 100, seconds 60, new_action alert, timeout 30\n"
1133 "rate_filter gen_id 1, sig_id 10000, track by_both, count 1000, \\\nseconds 60, new_action reject, timeout 21\n";
1135 fd =
SCFmemopen((
void *)buffer, strlen(buffer),
"r");
1137 SCLogDebug(
"Error with SCFmemopen() called by Threshold Config test code");
1148 static FILE *SCThresholdConfGenerateValidDummyFD07(
void)
1151 const char *buffer =
1152 "rate_filter gen_id 1, sig_id 10, track by_src, count 3, seconds 3, new_action drop, timeout 10\n"
1153 "rate_filter gen_id 1, sig_id 11, track by_src, count 3, seconds 1, new_action drop, timeout 5\n";
1155 fd =
SCFmemopen((
void *)buffer, strlen(buffer),
"r");
1157 SCLogDebug(
"Error with SCFmemopen() called by Threshold Config test code");
1167 static FILE *SCThresholdConfGenerateValidDummyFD08(
void)
1170 const char *buffer =
1171 "rate_filter gen_id 1, sig_id 10, track by_rule, count 3, seconds 3, new_action drop, timeout 10\n";
1173 fd =
SCFmemopen((
void *)buffer, strlen(buffer),
"r");
1175 SCLogDebug(
"Error with SCFmemopen() called by Threshold Config test code");
1186 static FILE *SCThresholdConfGenerateValidDummyFD09(
void)
1189 const char *buffer =
1190 "event_filter gen_id 1 \\\n, sig_id 10, type limit, track by_src, \\\ncount 2, seconds 60\n"
1191 "threshold gen_id 1, \\\nsig_id 11, type threshold\\\n, track by_dst, count 3, \\\n seconds 60\n"
1192 "event_filter gen_id 1, sig_id 12, \\\ntype both, track \\\nby_src, count 2, seconds 60\n";
1194 fd =
SCFmemopen((
void *)buffer, strlen(buffer),
"r");
1196 SCLogDebug(
"Error with SCFmemopen() called by Threshold Config test code");
1207 static FILE *SCThresholdConfGenerateValidDummyFD10(
void)
1210 const char *buffer =
1211 "event_filter gen_id 1 \\\n, sig_id 10, type limit, track by_src, \\\ncount 5, seconds 2\n"
1212 "threshold gen_id 1, \\\nsig_id 11, type threshold\\\n, track by_dst, count 5, \\\n seconds 2\n"
1213 "event_filter gen_id 1, sig_id 12, \\\ntype both, track \\\nby_src, count 5, seconds 2\n";
1215 fd =
SCFmemopen((
void *)buffer, strlen(buffer),
"r");
1217 SCLogDebug(
"Error with SCFmemopen() called by Threshold Config test code");
1227 static FILE *SCThresholdConfGenerateValidDummyFD11(
void)
1230 const char *buffer =
1231 "suppress gen_id 1, sig_id 10000\n"
1232 "suppress gen_id 1, sig_id 1000, track by_src, ip 192.168.1.1\n";
1234 fd =
SCFmemopen((
void *)buffer, strlen(buffer),
"r");
1236 SCLogDebug(
"Error with SCFmemopen() called by Threshold Config test code");
1247 static int SCThresholdConfTest01(
void)
1254 "alert tcp any any -> any any (msg:\"Threshold limit\"; gid:1; sid:10;)");
1258 g_ut_threshold_fp = SCThresholdConfGenerateValidDummyFD01();
1280 static int SCThresholdConfTest02(
void)
1287 "alert tcp any any -> any any (msg:\"Threshold limit\"; gid:1; sid:100;)");
1291 g_ut_threshold_fp = SCThresholdConfGenerateValidDummyFD01();
1313 static int SCThresholdConfTest03(
void)
1320 "alert tcp any any -> any any (msg:\"Threshold limit\"; gid:1; sid:1000;)");
1324 g_ut_threshold_fp = SCThresholdConfGenerateValidDummyFD01();
1346 static int SCThresholdConfTest04(
void)
1353 "alert tcp any any -> any any (msg:\"Threshold limit\"; gid:1; sid:1000;)");
1357 g_ut_threshold_fp = SCThresholdConfGenerateInvalidDummyFD02();
1375 static int SCThresholdConfTest05(
void)
1382 "alert tcp any any -> any any (msg:\"Threshold limit\"; gid:1; sid:1;)");
1385 "alert tcp any any -> any 80 (msg:\"Threshold limit\"; gid:1; sid:10;)");
1389 "alert tcp any any -> any 80 (msg:\"Threshold limit\"; gid:1; sid:100;)");
1393 g_ut_threshold_fp = SCThresholdConfGenerateValidDummyFD03();
1430 static int SCThresholdConfTest06(
void)
1437 "alert tcp any any -> any any (msg:\"Threshold limit\"; gid:1; sid:10;)");
1441 g_ut_threshold_fp = SCThresholdConfGenerateValidDummyFD04();
1463 static int SCThresholdConfTest07(
void)
1470 "alert tcp any any -> any any (msg:\"Threshold limit\"; gid:1; sid:10;)");
1474 g_ut_threshold_fp = SCThresholdConfGenerateValidDummyFD05();
1497 static int SCThresholdConfTest08(
void)
1504 "alert tcp any any -> any any (msg:\"Threshold limit\"; gid:1; sid:10;)");
1508 g_ut_threshold_fp = SCThresholdConfGenerateValidDummyFD06();
1530 static int SCThresholdConfTest09(
void)
1533 memset(&th_v, 0,
sizeof(th_v));
1547 "alert tcp any any -> any any (msg:\"ratefilter test\"; gid:1; sid:10;)");
1551 g_ut_threshold_fp = SCThresholdConfGenerateValidDummyFD07();
1614 static int SCThresholdConfTest10(
void)
1622 "172.26.0.2",
"172.26.0.11");
1625 "172.26.0.1",
"172.26.0.10");
1629 memset(&th_v, 0,
sizeof(th_v));
1637 "alert tcp any any -> any any (msg:\"ratefilter test\"; gid:1; sid:10;)");
1641 g_ut_threshold_fp = SCThresholdConfGenerateValidDummyFD08();
1704 static int SCThresholdConfTest11(
void)
1712 memset(&th_v, 0,
sizeof(th_v));
1720 "alert tcp any any -> any any (msg:\"event_filter test limit\"; gid:1; sid:10;)");
1723 "alert tcp any any -> any any (msg:\"event_filter test threshold\"; gid:1; sid:11;)");
1726 "alert tcp any any -> any any (msg:\"event_filter test both\"; gid:1; sid:12;)");
1730 g_ut_threshold_fp = SCThresholdConfGenerateValidDummyFD09();
1809 static int SCThresholdConfTest12(
void)
1817 memset(&th_v, 0,
sizeof(th_v));
1825 "alert tcp any any -> any any (msg:\"event_filter test limit\"; gid:1; sid:10;)");
1828 "alert tcp any any -> any any (msg:\"event_filter test threshold\"; gid:1; sid:11;)");
1831 "alert tcp any any -> any any (msg:\"event_filter test both\"; gid:1; sid:12;)");
1835 g_ut_threshold_fp = SCThresholdConfGenerateValidDummyFD10();
1914 static int SCThresholdConfTest13(
void)
1921 "alert tcp any any -> any any (msg:\"Threshold limit\"; gid:1; sid:1000;)");
1925 g_ut_threshold_fp = SCThresholdConfGenerateValidDummyFD11();
1947 static int SCThresholdConfTest14(
void)
1952 "192.168.0.100", 1234, 24);
1955 "192.168.0.100", 1234, 24);
1964 "alert tcp any any -> any any (msg:\"suppress test\"; gid:1; sid:10000;)");
1967 "alert tcp any any -> any any (msg:\"suppress test 2\"; gid:1; sid:10;)");
1970 "alert tcp any any -> any any (msg:\"suppress test 3\"; gid:1; sid:1000;)");
1974 memset(&th_v, 0,
sizeof(th_v));
1977 g_ut_threshold_fp = SCThresholdConfGenerateValidDummyFD11();
2008 static int SCThresholdConfTest15(
void)
2013 "192.168.0.100", 1234, 24);
2017 memset(&th_v, 0,
sizeof(th_v));
2025 "drop tcp any any -> any any (msg:\"suppress test\"; content:\"lalala\"; gid:1; sid:10000;)");
2029 g_ut_threshold_fp = SCThresholdConfGenerateValidDummyFD11();
2056 static int SCThresholdConfTest16(
void)
2061 "192.168.0.100", 1234, 24);
2065 memset(&th_v, 0,
sizeof(th_v));
2073 "drop tcp any any -> any any (msg:\"suppress test\"; gid:1; sid:1000;)");
2077 g_ut_threshold_fp = SCThresholdConfGenerateValidDummyFD11();
2103 static int SCThresholdConfTest17(
void)
2108 "192.168.0.100", 1234, 24);
2112 memset(&th_v, 0,
sizeof(th_v));
2120 "drop tcp 192.168.0.10 any -> 192.168.0.100 any (msg:\"suppress test\"; gid:1; sid:10000;)");
2124 g_ut_threshold_fp = SCThresholdConfGenerateValidDummyFD11();
2150 static FILE *SCThresholdConfGenerateInvalidDummyFD12(
void)
2153 const char *buffer =
2154 "suppress gen_id 1, sig_id 2200029, track by_dst, ip fe80::/16\n"
2155 "suppress gen_id 1, sig_id 2200029, track by_stc, ip fe80::/16\n";
2157 fd =
SCFmemopen((
void *)buffer, strlen(buffer),
"r");
2159 SCLogDebug(
"Error with SCFmemopen() called by Threshold Config test code");
2170 static int SCThresholdConfTest18(
void)
2178 "alert tcp 192.168.0.10 any -> 192.168.0.100 any (msg:\"suppress test\"; gid:1; sid:2200029;)");
2181 g_ut_threshold_fp = SCThresholdConfGenerateInvalidDummyFD12();
2202 static FILE *SCThresholdConfGenerateInvalidDummyFD13(
void)
2205 const char *buffer =
2206 "suppress gen_id 1, sig_id 2200029, track by_stc, ip fe80::/16\n"
2207 "suppress gen_id 1, sig_id 2200029, track by_dst, ip fe80::/16\n";
2209 fd =
SCFmemopen((
void *)buffer, strlen(buffer),
"r");
2211 SCLogDebug(
"Error with SCFmemopen() called by Threshold Config test code");
2222 static int SCThresholdConfTest19(
void)
2229 "alert tcp 192.168.0.10 any -> 192.168.0.100 any (msg:\"suppress test\"; gid:1; sid:2200029;)");
2232 g_ut_threshold_fp = SCThresholdConfGenerateInvalidDummyFD13();
2251 static FILE *SCThresholdConfGenerateValidDummyFD20(
void)
2254 const char *buffer =
2255 "suppress gen_id 1, sig_id 1000, track by_src, ip 2.2.3.4\n"
2256 "suppress gen_id 1, sig_id 1000, track by_src, ip 1.2.3.4\n"
2257 "suppress gen_id 1, sig_id 1000, track by_src, ip 192.168.1.1\n";
2259 fd =
SCFmemopen((
void *)buffer, strlen(buffer),
"r");
2261 SCLogDebug(
"Error with SCFmemopen() called by Threshold Config test code");
2272 static int SCThresholdConfTest20(
void)
2279 "alert tcp any any -> any any (msg:\"Threshold limit\"; content:\"abc\"; sid:1000;)");
2282 g_ut_threshold_fp = SCThresholdConfGenerateValidDummyFD20();
2318 static int SCThresholdConfTest21(
void)
2325 "alert tcp any any -> any any (msg:\"Threshold limit\"; content:\"abc\"; threshold: type limit, track by_dst, count 5, seconds 60; sid:1000;)");
2327 g_ut_threshold_fp = SCThresholdConfGenerateValidDummyFD20();
2361 static FILE *SCThresholdConfGenerateValidDummyFD22(
void)
2364 const char *buffer =
2365 "rate_filter gen_id 1, sig_id 10, track by_both, count 2, seconds 5, new_action drop, timeout 6\n";
2367 fd =
SCFmemopen((
void *)buffer, strlen(buffer),
"r");
2369 SCLogDebug(
"Error with SCFmemopen() called by Threshold Config test code");
2380 static int SCThresholdConfTest22(
void)
2383 memset(&th_v, 0,
sizeof(th_v));
2406 "alert tcp any any -> any any (msg:\"ratefilter by_both test\"; gid:1; sid:10;)");
2410 g_ut_threshold_fp = SCThresholdConfGenerateValidDummyFD22();
2418 p2->
ts = p3->
ts = p1->
ts;
2437 p2->
ts = p3->
ts = p1->
ts;
2448 p2->
ts = p3->
ts = p1->
ts;
2467 p2->
ts = p3->
ts = p1->
ts;
2497 static FILE *SCThresholdConfGenerateValidDummyFD23(
void)
2500 const char *buffer =
2501 "rate_filter gen_id 1, sig_id 10, track by_both, count 1, seconds 5, new_action drop, timeout 6\n";
2503 fd =
SCFmemopen((
void *)buffer, strlen(buffer),
"r");
2505 SCLogDebug(
"Error with SCFmemopen() called by Threshold Config test code");
2517 static int SCThresholdConfTest23(
void)
2520 memset(&th_v, 0,
sizeof(th_v));
2538 "alert tcp any any -> any any (msg:\"ratefilter by_both test\"; gid:1; sid:10;)");
2542 g_ut_threshold_fp = SCThresholdConfGenerateValidDummyFD23();
2589 SCThresholdConfTest09);
2591 SCThresholdConfTest10);
2593 SCThresholdConfTest11);
2595 SCThresholdConfTest12);
2597 UtRegisterTest(
"SCThresholdConfTest14 - suppress", SCThresholdConfTest14);
2599 SCThresholdConfTest15);
2601 SCThresholdConfTest16);
2603 SCThresholdConfTest17);
2606 SCThresholdConfTest18);
2608 SCThresholdConfTest19);
2610 SCThresholdConfTest20);
2612 SCThresholdConfTest21);
2614 SCThresholdConfTest22);
2615 UtRegisterTest(
"SCThresholdConfTest23 - rate_filter by_both opposite",
2616 SCThresholdConfTest23);