fix detection filter. Had one extra alert than normal previously, now fixed

author Anoop Saldanha <poonaatsoc@gmail.com>

Mon, 23 Apr 2012 08:16:34 +0000 (13:46 +0530)

committer Victor Julien <victor@inliniac.net>

Wed, 25 Apr 2012 10:07:47 +0000 (12:07 +0200)
author Anoop Saldanha <poonaatsoc@gmail.com>
Mon, 23 Apr 2012 08:16:34 +0000 (13:46 +0530)
committer Victor Julien <victor@inliniac.net>
Wed, 25 Apr 2012 10:07:47 +0000 (12:07 +0200)
diff --git a/src/detect-engine-threshold.c b/src/detect-engine-threshold.c

index 0023bcc9762f72d5693b1ccba0f01726b877a406..88040e87507bd5ebbc11bb17e1fa4f61b666f3ff 100644 (file)
--- a/src/detect-engine-threshold.c
+++ b/src/detect-engine-threshold.c
@@ -327,7 +327,7 @@ int ThresholdHandlePacketHost(Host *h, Packet *p, DetectThresholdData *td, uint3
                      /* within timeout */
  
                      lookup_tsh->current_count++;
-                    if (lookup_tsh->current_count >= td->count) {
+                    if (lookup_tsh->current_count > td->count) {
                          ret = 1;
                      }
                  } else {
@@ -335,16 +335,8 @@ int ThresholdHandlePacketHost(Host *h, Packet *p, DetectThresholdData *td, uint3
  
                      lookup_tsh->tv_sec1 = p->ts.tv_sec;
                      lookup_tsh->current_count = 1;
-
-                    if (td->count == 1) {
-                        ret = 1;
-                    }
                  }
              } else {
-                if (td->count == 1) {
-                    ret = 1;
-                }
-
                  DetectThresholdEntry *e = DetectThresholdEntryAlloc(td, p, sid, gid);
                  if (e == NULL) {
                      break;
author	Anoop Saldanha <poonaatsoc@gmail.com>
	Mon, 23 Apr 2012 08:16:34 +0000 (13:46 +0530)
committer	Victor Julien <victor@inliniac.net>
	Wed, 25 Apr 2012 10:07:47 +0000 (12:07 +0200)