From: Victor Julien <vjulien@oisf.net>
Date: Sat, 2 Mar 2024 06:58:30 +0000 (+0100)
Subject: threshold: add by_flow support for global thresholds
X-Git-Tag: suricata-8.0.0-beta1~1102
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cfd55ead74e2b2180ba2e2eeccd1b9d774073546;p=thirdparty%2Fsuricata.git

threshold: add by_flow support for global thresholds

Allow rate_filter and thresholds from the global config to specify
tracking "by_flow".
---

diff --git a/src/detect-engine-threshold.c b/src/detect-engine-threshold.c
index 0c85dbc6ab..f430e66b26 100644
--- a/src/detect-engine-threshold.c
+++ b/src/detect-engine-threshold.c
@@ -343,6 +343,7 @@ static int ThresholdHandlePacketSuppress(Packet *p,
             }
             break;
         case TRACK_RULE:
+        case TRACK_FLOW:
         default:
             SCLogError("track mode %d is not supported", td->track);
             break;
diff --git a/src/util-threshold-config.c b/src/util-threshold-config.c
index d12c89e07f..998dde56a9 100644
--- a/src/util-threshold-config.c
+++ b/src/util-threshold-config.c
@@ -66,11 +66,15 @@ static FILE *g_ut_threshold_fp = NULL;
 #define DETECT_BASE_REGEX "^\\s*(event_filter|threshold|rate_filter|suppress)\\s*gen_id\\s*(\\d+)\\s*,\\s*sig_id\\s*(\\d+)\\s*(.*)\\s*$"
 
 #define DETECT_THRESHOLD_REGEX                                                                     \
-    "^,\\s*type\\s*(limit|both|threshold)\\s*,\\s*track\\s*(by_dst|by_src|by_both|by_rule)\\s*,"   \
+    "^,\\s*type\\s*(limit|both|threshold)\\s*,\\s*track\\s*(by_dst|by_src|by_both|by_rule|by_"     \
+    "flow)\\s*,"                                                                                   \
     "\\s*count\\s*(\\d+)\\s*,\\s*seconds\\s*(\\d+)\\s*$"
 
 /* TODO: "apply_to" */
-#define DETECT_RATE_REGEX "^,\\s*track\\s*(by_dst|by_src|by_both|by_rule)\\s*,\\s*count\\s*(\\d+)\\s*,\\s*seconds\\s*(\\d+)\\s*,\\s*new_action\\s*(alert|drop|pass|log|sdrop|reject)\\s*,\\s*timeout\\s*(\\d+)\\s*$"
+#define DETECT_RATE_REGEX                                                                          \
+    "^,\\s*track\\s*(by_dst|by_src|by_both|by_rule|by_flow)\\s*,\\s*count\\s*(\\d+)\\s*,\\s*"      \
+    "seconds\\s*(\\d+)\\s*,\\s*new_action\\s*(alert|drop|pass|log|sdrop|reject)\\s*,\\s*"          \
+    "timeout\\s*(\\d+)\\s*$"
 
 /*
  * suppress has two form:
@@ -793,6 +797,8 @@ static int ParseThresholdRule(const DetectEngineCtx *de_ctx, char *rawstr, uint3
             }
             else if (strcasecmp(th_track,"by_rule") == 0)
                 parsed_track = TRACK_RULE;
+            else if (strcasecmp(th_track, "by_flow") == 0)
+                parsed_track = TRACK_FLOW;
             else {
                 SCLogError("Invalid track parameter %s in %s", th_track, rawstr);
                 goto error;