xbits: expire (first steps)

diff --git a/src/detect-xbits.c b/src/detect-xbits.c
index 488e3454a4c7024902ea2e8462e4e4a7f333f753..d630930e1e20735c75611becada167210d12fbd1 100644 (file)
--- a/src/detect-xbits.c
+++ b/src/detect-xbits.c
@@ -50,10 +50,10 @@
 #include "util-debug.h"
 
 /*
-    xbits:set,bitname,track ip_pair
+    xbits:set,bitname,track ip_pair,expire 60
  */
 
-#define PARSE_REGEX         "([a-z]+)(?:,([^,]+))?(?:,(?:track\\s+([^,]+)))"
+#define PARSE_REGEX     "([a-z]+)" "(?:,\\s*([^,]+))?" "(?:,\\s*(?:track\\s+([^,]+)))" "(?:,\\s*(?:expire\\s+([^,]+)))?"
 static pcre *parse_regex;
 static pcre_extra *parse_regex_study;
 
@@ -213,10 +213,11 @@ int DetectXbitSetup (DetectEngineCtx *de_ctx, Signature *s, char *rawstr)
     char fb_cmd_str[16] = "", fb_name[256] = "";
     char hb_dir_str[16] = "";
     enum VarTypes var_type = VAR_TYPE_NOT_SET;
+    int expire = 30;
 
     ret = pcre_exec(parse_regex, parse_regex_study, rawstr, strlen(rawstr), 0, 0, ov, MAX_SUBSTRINGS);
-    if (ret != 2 && ret != 3 && ret != 4) {
-        SCLogError(SC_ERR_PCRE_MATCH, "\"%s\" is not a valid setting for hostbits.", rawstr);
+    if (ret != 2 && ret != 3 && ret != 4 && ret != 5) {
+        SCLogError(SC_ERR_PCRE_MATCH, "\"%s\" is not a valid setting for xbits.", rawstr);
         return -1;
     }
     SCLogDebug("ret %d, %s", ret, rawstr);
@@ -254,6 +255,18 @@ int DetectXbitSetup (DetectEngineCtx *de_ctx, Signature *s, char *rawstr)
                     goto error;
                 }
             }
+
+            if (ret >= 5) {
+                char expire_str[16] = "";
+                res = pcre_copy_substring((char *)rawstr, ov, MAX_SUBSTRINGS, 4, expire_str, sizeof(expire_str));
+                if (res < 0) {
+                    SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_copy_substring failed");
+                    goto error;
+                }
+                SCLogDebug("expire_str %s", expire_str);
+                expire = atoi(expire_str);
+                SCLogDebug("expire %d", expire);
+            }
         }
     }
 
@@ -299,6 +312,7 @@ int DetectXbitSetup (DetectEngineCtx *de_ctx, Signature *s, char *rawstr)
     cd->cmd = fb_cmd;
     cd->tracker = hb_dir;
     cd->type = var_type;
+    cd->expire = expire;
 
     SCLogDebug("idx %" PRIu32 ", cmd %s, name %s",
         cd->idx, fb_cmd_str, strlen(fb_name) ? fb_name : "(none)");

diff --git a/src/detect-xbits.h b/src/detect-xbits.h
index 56ba917b8a95d84e8f314273d445c01740e20be8..477aab8c2bdad532dcf240f88dc87ae2112fb0f3 100644 (file)
--- a/src/detect-xbits.h
+++ b/src/detect-xbits.h
@@ -41,6 +41,7 @@ typedef struct DetectXbitsData_ {
     uint16_t idx;
     uint8_t cmd;
     uint8_t tracker;
+    uint32_t expire;
     /** data type: host/ippair/flow used for sig sorting in sigorder */
     enum VarTypes type;
 } DetectXbitsData;

diff --git a/src/util-var.h b/src/util-var.h
index 965b36e012d6aef64b28991b77ad2a101d732b11..0cd8c3528b1f8192ce030d24564bb50cead4b579 100644 (file)
--- a/src/util-var.h
+++ b/src/util-var.h
@@ -54,6 +54,7 @@ typedef struct XBit_ {
     uint8_t type;       /* type, DETECT_XBITS in this case */
     uint16_t idx;       /* name idx */
     GenericVar *next;
+    uint32_t expire;
 } XBit;
 
 void GenericVarFree(GenericVar *);