From: Victor Julien Date: Fri, 19 Apr 2024 16:27:57 +0000 (+0200) Subject: detect/threshold: include rev in threshold tracking X-Git-Tag: suricata-8.0.0-beta1~1086 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2be998fbcd820ab54c75a9a6219984f52f140705;p=thirdparty%2Fsuricata.git detect/threshold: include rev in threshold tracking --- diff --git a/src/detect-engine-threshold.c b/src/detect-engine-threshold.c index 4a2a781916..d1f34f03a8 100644 --- a/src/detect-engine-threshold.c +++ b/src/detect-engine-threshold.c @@ -93,10 +93,11 @@ void ThresholdDestroy(void) #define SID 0 #define GID 1 -#define TRACK 2 +#define REV 2 +#define TRACK 3 typedef struct ThresholdEntry_ { - uint32_t key[3]; + uint32_t key[4]; uint32_t tv_timeout; /**< Timeout for new_action (for rate_filter) its not "seconds", that define the time interval */ @@ -522,14 +523,15 @@ static FlowVarThreshold *FlowThresholdVarGet(Flow *f) return NULL; } -static ThresholdEntry *ThresholdFlowLookupEntry(Flow *f, uint32_t sid, uint32_t gid) +static ThresholdEntry *ThresholdFlowLookupEntry(Flow *f, uint32_t sid, uint32_t gid, uint32_t rev) { FlowVarThreshold *t = FlowThresholdVarGet(f); if (t == NULL) return NULL; for (FlowThresholdEntryList *e = t->thresholds; e != NULL; e = e->next) { - if (e->threshold.key[SID] == sid && e->threshold.key[GID] == gid) { + if (e->threshold.key[SID] == sid && e->threshold.key[GID] == gid && + e->threshold.key[REV] == rev) { return &e->threshold; } } @@ -617,10 +619,11 @@ static inline void RateFilterSetAction(PacketAlert *pa, uint8_t new_action) } static int ThresholdSetup(const DetectThresholdData *td, ThresholdEntry *te, - const SCTime_t packet_time, const uint32_t sid, const uint32_t gid) + const SCTime_t packet_time, const uint32_t sid, const uint32_t gid, const uint32_t rev) { te->key[SID] = sid; te->key[GID] = gid; + te->key[REV] = rev; te->key[TRACK] = td->track; te->seconds = td->seconds; @@ -774,6 +777,7 @@ static int ThresholdGetFromHash(struct Thresholds *tctx, const Packet *p, const memset(&lookup, 0, sizeof(lookup)); lookup.key[SID] = s->id; lookup.key[GID] = s->gid; + lookup.key[REV] = s->rev; lookup.key[TRACK] = td->track; if (td->track == TRACK_SRC) { COPY_ADDRESS(&p->src, &lookup.addr); @@ -807,7 +811,7 @@ static int ThresholdGetFromHash(struct Thresholds *tctx, const Packet *p, const ThresholdEntry *te = res.data->data; if (res.is_new) { // new threshold, set up - r = ThresholdSetup(td, te, p->ts, s->id, s->gid); + r = ThresholdSetup(td, te, p->ts, s->id, s->gid, s->rev); } else { // existing, check/update r = ThresholdCheckUpdate(td, te, p, s->id, pa); @@ -826,11 +830,11 @@ static int ThresholdGetFromHash(struct Thresholds *tctx, const Packet *p, const * \retval 0 no match */ static int ThresholdHandlePacketFlow(Flow *f, Packet *p, const DetectThresholdData *td, - uint32_t sid, uint32_t gid, PacketAlert *pa) + uint32_t sid, uint32_t gid, uint32_t rev, PacketAlert *pa) { int ret = 0; - ThresholdEntry *found = ThresholdFlowLookupEntry(f, sid, gid); - SCLogDebug("found %p sid %u gid %u", found, sid, gid); + ThresholdEntry *found = ThresholdFlowLookupEntry(f, sid, gid, rev); + SCLogDebug("found %p sid %u gid %u rev %u", found, sid, gid, rev); if (found == NULL) { FlowThresholdEntryList *new = SCCalloc(1, sizeof(*new)); @@ -838,7 +842,7 @@ static int ThresholdHandlePacketFlow(Flow *f, Packet *p, const DetectThresholdDa return 0; // new threshold, set up - ret = ThresholdSetup(td, &new->threshold, p->ts, sid, gid); + ret = ThresholdSetup(td, &new->threshold, p->ts, sid, gid, rev); if (AddEntryToFlow(f, new, p->ts) == -1) { SCFree(new); @@ -899,7 +903,7 @@ int PacketAlertThreshold(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx ret = ThresholdGetFromHash(&ctx, p, s, td, pa); } else if (td->track == TRACK_FLOW) { if (p->flow) { - ret = ThresholdHandlePacketFlow(p->flow, p, td, s->id, s->gid, pa); + ret = ThresholdHandlePacketFlow(p->flow, p, td, s->id, s->gid, s->rev, pa); } }