thresholds: fix issues with host based thresholds

The flow manager thread (that also runs the host cleanup code) would
sometimes free a host before it's thresholds are timed out. This would
lead to misdetection or too many alerts.

This was mostly (only?) visible on slower systems. And was caused by a
mismatch between time concepts of the async flow manager thread and the
packet threads, resulting in the flow manager using a timestamp that
was before the threshold entry creation ts. This would lead to an
integer underflow in the timeout check, leading to a incorrect conclusion
that the threshold entry was timed out.

To address this,  check if the 'check' timestamp is not before the creation
timestamp.

diff --git a/src/detect-engine-threshold.c b/src/detect-engine-threshold.c
index 18f75fe6726c1be6c9c7e8f86726940c40cf0323..efd95138977e917ce4ff5ade59728cc0322877c2 100644 (file)
--- a/src/detect-engine-threshold.c
+++ b/src/detect-engine-threshold.c
@@ -171,7 +171,10 @@ static DetectThresholdEntry* ThresholdTimeoutCheck(DetectThresholdEntry *head, s
     DetectThresholdEntry *new_head = head;
 
     while (tmp != NULL) {
-        if ((tv->tv_sec - tmp->tv_sec1) <= tmp->seconds) {
+        /* check if the 'check' timestamp is not before the creation ts.
+         * This can happen due to the async nature of the host timeout
+         * code that also calls this code from a management thread. */
+        if (((uint32_t)tv->tv_sec < tmp->tv_sec1) || (tv->tv_sec - tmp->tv_sec1) <= tmp->seconds) {
             prev = tmp;
             tmp = tmp->next;
             continue;