bug #455 - Warn users on signature event vars having precedence over threshold.conf...

diff --git a/src/util-error.c b/src/util-error.c
index f2ea271ae6d8b10059c90547e773315630a80a58..d87694e7232f3661a3e949b39a575e23e85f459a 100644 (file)
--- a/src/util-error.c
+++ b/src/util-error.c
@@ -230,7 +230,7 @@ const char * SCErrorToString(SCError err)
         CASE_CODE (SC_ERR_MEM_BUFFER_API);
         CASE_CODE (SC_ERR_INVALID_MD5);
         CASE_CODE (SC_ERR_NO_MD5_SUPPORT);
-
+        CASE_CODE (SC_ERR_EVENT_ENGINE);
         default:
             return "UNKNOWN_ERROR";
     }

diff --git a/src/util-error.h b/src/util-error.h
index d36b6f93cf1ef447077988fb61753678b5b7ae3b..a8e3750ca81e5c7ea49fc173a2ffcfa5b66793f3 100644 (file)
--- a/src/util-error.h
+++ b/src/util-error.h
@@ -244,6 +244,7 @@ typedef enum {
     SC_ERR_MEM_BUFFER_API,
     SC_ERR_INVALID_MD5,
     SC_ERR_NO_MD5_SUPPORT,
+    SC_ERR_EVENT_ENGINE,
 } SCError;
 
 const char *SCErrorToString(SCError);

diff --git a/src/util-threshold-config.c b/src/util-threshold-config.c
index 084ea587ba49cedfb619763b9eb97cb9adb63a41..f0619214141a8d8c6b61fc0bc0b117b960c35594 100644 (file)
--- a/src/util-threshold-config.c
+++ b/src/util-threshold-config.c
@@ -560,14 +560,24 @@ int SCThresholdConfAddThresholdtype(char *rawstr, DetectEngineCtx *de_ctx)
             m = SigMatchGetLastSMFromLists(s, 2,
                                            DETECT_THRESHOLD, s->sm_lists[DETECT_SM_LIST_THRESHOLD]);
 
-            if(m != NULL)
+            if (m != NULL) {
+                SCLogWarning(SC_ERR_EVENT_ENGINE, "signature sid:%"PRIu32 " has "
+                             "an event var set.  The signature event var is "
+                             "given precedence over the threshold.conf one.  "
+                             "We'll change this in the future though.", id);
                 goto end;
+            }
 
             m = SigMatchGetLastSMFromLists(s, 2,
                                            DETECT_DETECTION_FILTER, s->sm_lists[DETECT_SM_LIST_THRESHOLD]);
 
-            if(m != NULL)
+            if (m != NULL) {
+                SCLogWarning(SC_ERR_EVENT_ENGINE, "signature sid:%"PRIu32 " has "
+                             "an event var set.  The signature event var is "
+                             "given precedence over the threshold.conf one.  "
+                             "We'll change this in the future though.", id);
                 goto end;
+            }
 
             de = SCMalloc(sizeof(DetectThresholdData));
             if (de == NULL)
@@ -631,14 +641,24 @@ int SCThresholdConfAddThresholdtype(char *rawstr, DetectEngineCtx *de_ctx)
                 m = SigMatchGetLastSMFromLists(s, 2,
                                                DETECT_THRESHOLD, s->sm_lists[DETECT_SM_LIST_THRESHOLD]);
 
-                if(m != NULL)
+                if (m != NULL) {
+                    SCLogWarning(SC_ERR_EVENT_ENGINE, "signature sid:%"PRIu32 " has "
+                                 "an event var set.  The signature event var is "
+                                 "given precedence over the threshold.conf one.  "
+                                 "We'll change this in the future though.", id);
                     goto end;
+                }
 
                 m = SigMatchGetLastSMFromLists(s, 2,
                                                DETECT_DETECTION_FILTER, s->sm_lists[DETECT_SM_LIST_THRESHOLD]);
 
-                if(m != NULL)
+                if (m != NULL) {
+                    SCLogWarning(SC_ERR_EVENT_ENGINE, "signature sid:%"PRIu32 " has "
+                                 "an event var set.  The signature event var is "
+                                 "given precedence over the threshold.conf one.  "
+                                 "We'll change this in the future though.", id);
                     goto end;
+                }
 
                 de = SCMalloc(sizeof(DetectThresholdData));
                 if (de == NULL)
@@ -692,6 +712,11 @@ int SCThresholdConfAddThresholdtype(char *rawstr, DetectEngineCtx *de_ctx)
             }
             s = ns;
         }
+    } else if (id > 0 && gid == 0) {
+        SCLogError(SC_ERR_INVALID_VALUE, "Can't use a event config that has "
+                   "sid > 0 and gid == 0.  Killing engine.  Please fix this "
+                   "in your threshold.conf file");
+        exit(EXIT_FAILURE);
     } else {
         sig = SigFindSignatureBySidGid(de_ctx,id,gid);
 
@@ -704,14 +729,24 @@ int SCThresholdConfAddThresholdtype(char *rawstr, DetectEngineCtx *de_ctx)
             m = SigMatchGetLastSMFromLists(sig, 2,
                                            DETECT_THRESHOLD, sig->sm_lists[DETECT_SM_LIST_THRESHOLD]);
 
-            if(m != NULL)
+            if (m != NULL) {
+                SCLogWarning(SC_ERR_EVENT_ENGINE, "signature sid:%"PRIu32 " has "
+                             "an event var set.  The signature event var is "
+                             "given precedence over the threshold.conf one.  "
+                             "We'll change this in the future though.", id);
                 goto end;
+            }
 
             m = SigMatchGetLastSMFromLists(sig, 2,
                                            DETECT_DETECTION_FILTER, sig->sm_lists[DETECT_SM_LIST_THRESHOLD]);
 
-            if(m != NULL)
+            if (m != NULL) {
+                SCLogWarning(SC_ERR_EVENT_ENGINE, "signature sid:%"PRIu32 " has "
+                             "an event var set.  The signature event var is "
+                             "given precedence over the threshold.conf one.  "
+                             "We'll change this in the future though.", id);
                 goto end;
+            }
 
             de = SCMalloc(sizeof(DetectThresholdData));
             if (de == NULL)