detect/detection_filter: add support for track by_flow

diff --git a/doc/userguide/rules/thresholding.rst b/doc/userguide/rules/thresholding.rst
index e3e5830f7ffb20e39b1c8a34d23af4680b62d1ee..44a8aa5e92d4e4c9a532ca3d99462af2f89fa290 100644 (file)
--- a/doc/userguide/rules/thresholding.rst
+++ b/doc/userguide/rules/thresholding.rst
@@ -118,7 +118,7 @@ again.
 
 Syntax::
 
-  detection_filter: track <by_src|by_dst|by_rule|by_both>, count <N>, seconds <T>
+  detection_filter: track <by_src|by_dst|by_rule|by_both|by_flow>, count <N>, seconds <T>
 
 Example::
 

diff --git a/src/detect-detection-filter.c b/src/detect-detection-filter.c
index cbd1898a31a4e58e281538d8c9fa36e6514985af..47ce00829880ebb2d2fb988835454b06d1c9bdb3 100644 (file)
--- a/src/detect-detection-filter.c
+++ b/src/detect-detection-filter.c
@@ -47,8 +47,9 @@
  *\brief Regex for parsing our detection_filter options
  */
 #define PARSE_REGEX                                                                                \
-    "^\\s*(track|count|seconds)\\s+(by_src|by_dst|\\d+)\\s*,\\s*(track|count|seconds)\\s+(by_src|" \
-    "by_dst|\\d+)\\s*,\\s*(track|count|seconds)\\s+(by_src|by_dst|\\d+)\\s*$"
+    "^\\s*(track|count|seconds)\\s+(by_src|by_dst|by_flow|\\d+)\\s*,\\s*(track|count|seconds)\\s+" \
+    "(by_src|"                                                                                     \
+    "by_dst|by_flow|\\d+)\\s*,\\s*(track|count|seconds)\\s+(by_src|by_dst|by_flow|\\d+)\\s*$"
 
 static DetectParseRegex parse_regex;
 
@@ -158,6 +159,8 @@ static DetectThresholdData *DetectDetectionFilterParse(const char *rawstr)
             df->track = TRACK_DST;
         if (strncasecmp(args[i], "by_src", strlen("by_src")) == 0)
             df->track = TRACK_SRC;
+        if (strncasecmp(args[i], "by_flow", strlen("by_flow")) == 0)
+            df->track = TRACK_FLOW;
         if (strncasecmp(args[i], "count", strlen("count")) == 0)
             count_pos = i + 1;
         if (strncasecmp(args[i], "seconds", strlen("seconds")) == 0)