detect/threshold: Don't allow duplicates

This commit detects duplicate threshold rule options. When duplicates
are found in a rule, an error message is displayed and the rule is
rejected.

(cherry picked from commit ff9a01ee1b63452d1b047f9bcc7522e3ab1eda10)

diff --git a/src/detect-threshold.c b/src/detect-threshold.c
index 505d9459b7be4a26e789ec9e77ee27ba744ff670..356160e150e63bed29b4b7ea97bde07131771d67 100644 (file)
--- a/src/detect-threshold.c
+++ b/src/detect-threshold.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 2007-2013 Open Information Security Foundation
+/* Copyright (C) 2007-2020 Open Information Security Foundation
  *
  * You can copy, redistribute or modify this Program under the terms of
  * the GNU General Public License version 2 as published by the Free
@@ -229,10 +229,15 @@ static int DetectThresholdSetup(DetectEngineCtx *de_ctx, Signature *s, const cha
     SigMatch *tmpm = NULL;
 
     /* checks if there is a previous instance of detection_filter */
-    tmpm = DetectGetLastSMFromLists(s, DETECT_DETECTION_FILTER, -1);
+    tmpm = DetectGetLastSMFromLists(s, DETECT_THRESHOLD, DETECT_DETECTION_FILTER, -1);
     if (tmpm != NULL) {
-        SCLogError(SC_ERR_INVALID_SIGNATURE, "\"detection_filter\" and "
-                "\"threshold\" are not allowed in the same rule");
+        if (tmpm->type == DETECT_DETECTION_FILTER) {
+            SCLogError(SC_ERR_INVALID_SIGNATURE, "\"detection_filter\" and "
+                    "\"threshold\" are not allowed in the same rule");
+        } else {
+            SCLogError(SC_ERR_INVALID_SIGNATURE, "multiple \"threshold\" "
+                    "options are not allowed in the same rule");
+        }
         SCReturnInt(-1);
     }