From: Todd Mortimer Date: Mon, 30 Mar 2020 23:36:12 +0000 (+0000) Subject: detect/threshold: Parse by_rule and by_both in rules. X-Git-Tag: suricata-6.0.0-beta1~555 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e945dea244ca2ab5ca2774ef838dab8c1ffb4abc;p=thirdparty%2Fsuricata.git detect/threshold: Parse by_rule and by_both in rules. Also add tests for parsing them. --- diff --git a/src/detect-threshold.c b/src/detect-threshold.c index 833ad7cbc7..23902fc714 100644 --- a/src/detect-threshold.c +++ b/src/detect-threshold.c @@ -59,7 +59,7 @@ #include "util-cpu.h" #endif -#define PARSE_REGEX "^\\s*(track|type|count|seconds)\\s+(limit|both|threshold|by_dst|by_src|\\d+)\\s*,\\s*(track|type|count|seconds)\\s+(limit|both|threshold|by_dst|by_src|\\d+)\\s*,\\s*(track|type|count|seconds)\\s+(limit|both|threshold|by_dst|by_src|\\d+)\\s*,\\s*(track|type|count|seconds)\\s+(limit|both|threshold|by_dst|by_src|\\d+)\\s*" +#define PARSE_REGEX "^\\s*(track|type|count|seconds)\\s+(limit|both|threshold|by_dst|by_src|by_both|by_rule|\\d+)\\s*,\\s*(track|type|count|seconds)\\s+(limit|both|threshold|by_dst|by_src|by_both|by_rule|\\d+)\\s*,\\s*(track|type|count|seconds)\\s+(limit|both|threshold|by_dst|by_src|by_both|by_rule|\\d+)\\s*,\\s*(track|type|count|seconds)\\s+(limit|both|threshold|by_dst|by_src|by_both|by_rule|\\d+)\\s*" static DetectParseRegex parse_regex; @@ -174,6 +174,10 @@ static DetectThresholdData *DetectThresholdParse(const char *rawstr) de->track = TRACK_DST; if (strncasecmp(args[i],"by_src",strlen("by_src")) == 0) de->track = TRACK_SRC; + if (strncasecmp(args[i],"by_both",strlen("by_both")) == 0) + de->track = TRACK_BOTH; + if (strncasecmp(args[i],"by_rule",strlen("by_rule")) == 0) + de->track = TRACK_RULE; if (strncasecmp(args[i],"count",strlen("count")) == 0) count_pos = i+1; if (strncasecmp(args[i],"seconds",strlen("seconds")) == 0) @@ -374,6 +378,43 @@ static int ThresholdTestParse05(void) return 0; } +/** + * \test ThresholdTestParse06 is a test for thresholding by_both + * + * \retval 1 on success + * \retval 0 on failure + */ +static int ThresholdTestParse06(void) +{ + DetectThresholdData *de = NULL; + de = DetectThresholdParse("count 10, track by_both, seconds 60, type limit"); + FAIL_IF_NULL(de); + FAIL_IF_NOT(de->type == TYPE_LIMIT); + FAIL_IF_NOT(de->track == TRACK_BOTH); + FAIL_IF_NOT(de->count == 10); + FAIL_IF_NOT(de->seconds == 60); + DetectThresholdFree(de); + PASS; +} + +/** + * \test ThresholdTestParse07 is a test for thresholding by_rule + * + * \retval 1 on success + * \retval 0 on failure + */ +static int ThresholdTestParse07(void) +{ + DetectThresholdData *de = NULL; + de = DetectThresholdParse("count 10, track by_rule, seconds 60, type limit"); + FAIL_IF_NULL(de); + FAIL_IF_NOT(de->type == TYPE_LIMIT); + FAIL_IF_NOT(de->track == TRACK_RULE); + FAIL_IF_NOT(de->count == 10); + FAIL_IF_NOT(de->seconds == 60); + DetectThresholdFree(de); + PASS; +} /** * \test DetectThresholdTestSig1 is a test for checking the working of limit keyword @@ -1485,6 +1526,8 @@ void ThresholdRegisterTests(void) UtRegisterTest("ThresholdTestParse03", ThresholdTestParse03); UtRegisterTest("ThresholdTestParse04", ThresholdTestParse04); UtRegisterTest("ThresholdTestParse05", ThresholdTestParse05); + UtRegisterTest("ThresholdTestParse06", ThresholdTestParse06); + UtRegisterTest("ThresholdTestParse07", ThresholdTestParse07); UtRegisterTest("DetectThresholdTestSig1", DetectThresholdTestSig1); UtRegisterTest("DetectThresholdTestSig2", DetectThresholdTestSig2); UtRegisterTest("DetectThresholdTestSig3", DetectThresholdTestSig3);