From: Victor Julien Date: Wed, 13 Mar 2024 10:01:28 +0000 (+0100) Subject: detect/detection_filter: add support for track by_flow X-Git-Tag: suricata-8.0.0-beta1~1097 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=405491c3fcdd8c30cdd66e3ef922f0b8a8717a9e;p=thirdparty%2Fsuricata.git detect/detection_filter: add support for track by_flow --- diff --git a/doc/userguide/rules/thresholding.rst b/doc/userguide/rules/thresholding.rst index e3e5830f7f..44a8aa5e92 100644 --- a/doc/userguide/rules/thresholding.rst +++ b/doc/userguide/rules/thresholding.rst @@ -118,7 +118,7 @@ again. Syntax:: - detection_filter: track , count , seconds + detection_filter: track , count , seconds Example:: diff --git a/src/detect-detection-filter.c b/src/detect-detection-filter.c index cbd1898a31..47ce008298 100644 --- a/src/detect-detection-filter.c +++ b/src/detect-detection-filter.c @@ -47,8 +47,9 @@ *\brief Regex for parsing our detection_filter options */ #define PARSE_REGEX \ - "^\\s*(track|count|seconds)\\s+(by_src|by_dst|\\d+)\\s*,\\s*(track|count|seconds)\\s+(by_src|" \ - "by_dst|\\d+)\\s*,\\s*(track|count|seconds)\\s+(by_src|by_dst|\\d+)\\s*$" + "^\\s*(track|count|seconds)\\s+(by_src|by_dst|by_flow|\\d+)\\s*,\\s*(track|count|seconds)\\s+" \ + "(by_src|" \ + "by_dst|by_flow|\\d+)\\s*,\\s*(track|count|seconds)\\s+(by_src|by_dst|by_flow|\\d+)\\s*$" static DetectParseRegex parse_regex; @@ -158,6 +159,8 @@ static DetectThresholdData *DetectDetectionFilterParse(const char *rawstr) df->track = TRACK_DST; if (strncasecmp(args[i], "by_src", strlen("by_src")) == 0) df->track = TRACK_SRC; + if (strncasecmp(args[i], "by_flow", strlen("by_flow")) == 0) + df->track = TRACK_FLOW; if (strncasecmp(args[i], "count", strlen("count")) == 0) count_pos = i + 1; if (strncasecmp(args[i], "seconds", strlen("seconds")) == 0)