From: Victor Julien Date: Tue, 16 Jan 2018 10:54:39 +0000 (+0100) Subject: thresholds: fix issues with host based thresholds X-Git-Tag: suricata-4.1.0-beta1~351 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F3168%2Fhead;p=thirdparty%2Fsuricata.git thresholds: fix issues with host based thresholds The flow manager thread (that also runs the host cleanup code) would sometimes free a host before it's thresholds are timed out. This would lead to misdetection or too many alerts. This was mostly (only?) visible on slower systems. And was caused by a mismatch between time concepts of the async flow manager thread and the packet threads, resulting in the flow manager using a timestamp that was before the threshold entry creation ts. This would lead to an integer underflow in the timeout check, leading to a incorrect conclusion that the threshold entry was timed out. To address this, check if the 'check' timestamp is not before the creation timestamp. --- diff --git a/src/detect-engine-threshold.c b/src/detect-engine-threshold.c index 18f75fe672..efd9513897 100644 --- a/src/detect-engine-threshold.c +++ b/src/detect-engine-threshold.c @@ -171,7 +171,10 @@ static DetectThresholdEntry* ThresholdTimeoutCheck(DetectThresholdEntry *head, s DetectThresholdEntry *new_head = head; while (tmp != NULL) { - if ((tv->tv_sec - tmp->tv_sec1) <= tmp->seconds) { + /* check if the 'check' timestamp is not before the creation ts. + * This can happen due to the async nature of the host timeout + * code that also calls this code from a management thread. */ + if (((uint32_t)tv->tv_sec < tmp->tv_sec1) || (tv->tv_sec - tmp->tv_sec1) <= tmp->seconds) { prev = tmp; tmp = tmp->next; continue;