git.ipfire.org Git - thirdparty/suricata.git/commit

author	Victor Julien <vjulien@oisf.net>
	Tue, 27 Feb 2024 10:06:47 +0000 (11:06 +0100)
committer	Victor Julien <vjulien@oisf.net>
	Fri, 28 Jun 2024 05:39:48 +0000 (07:39 +0200)
commit	1552f0953ae79ca23d63583a0e4a51cb148455e9
tree	290fa6e238f9daacc0106f628606afa10afe835b	tree \| snapshot
parent	a81b23254c10805cb4bed4f7096134f2533f84c4	commit \| diff

detect/threshold: implement tracking 'by_flow'

Add support for 'by_flow' track option. This allows using the various
threshold options in the context of a single flow.

Example:

alert tcp ... stream-event:pkt_broken_ack; \
threshold:type limit, track by_flow, count 1, seconds 3600;

The example would limit the number of alerts to once per hour for
packets triggering the 'pkt_broken_ack' stream event.

Implemented as a special "flowvar" holding the threshold entries. This
means no synchronization is required, making this a cheaper option
compared to the other trackers.

Ticket: #6822.

src/detect-engine-threshold.c		diff \| blob \| blame \| history
src/detect-engine-threshold.h		diff \| blob \| blame \| history
src/detect-threshold.c		diff \| blob \| blame \| history
src/detect-threshold.h		diff \| blob \| blame \| history
src/util-var.c		diff \| blob \| blame \| history