From: Philippe Antoine <contact@catenacyber.fr>
Date: Thu, 28 Apr 2022 14:24:46 +0000 (+0200)
Subject: threshold: fix regex to accept by_both and by_rule
X-Git-Tag: suricata-7.0.0-beta1~386
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F7603%2Fhead;p=thirdparty%2Fsuricata.git

threshold: fix regex to accept by_both and by_rule

As is done in detect-threshold.c or in DETECT_RATE_REGEX
and is expected by switch (rule_type) which makes the same
for THRESHOLD_TYPE_THRESHOLD and THRESHOLD_TYPE_RATE

Ticket: #5327
---

diff --git a/src/util-threshold-config.c b/src/util-threshold-config.c
index 97c7507624..84dd61ecd1 100644
--- a/src/util-threshold-config.c
+++ b/src/util-threshold-config.c
@@ -67,7 +67,9 @@ static FILE *g_ut_threshold_fp = NULL;
 /* common base for all options */
 #define DETECT_BASE_REGEX "^\\s*(event_filter|threshold|rate_filter|suppress)\\s*gen_id\\s*(\\d+)\\s*,\\s*sig_id\\s*(\\d+)\\s*(.*)\\s*$"
 
-#define DETECT_THRESHOLD_REGEX "^,\\s*type\\s*(limit|both|threshold)\\s*,\\s*track\\s*(by_dst|by_src)\\s*,\\s*count\\s*(\\d+)\\s*,\\s*seconds\\s*(\\d+)\\s*$"
+#define DETECT_THRESHOLD_REGEX                                                                     \
+    "^,\\s*type\\s*(limit|both|threshold)\\s*,\\s*track\\s*(by_dst|by_src|by_both|by_rule)\\s*,"   \
+    "\\s*count\\s*(\\d+)\\s*,\\s*seconds\\s*(\\d+)\\s*$"
 
 /* TODO: "apply_to" */
 #define DETECT_RATE_REGEX "^,\\s*track\\s*(by_dst|by_src|by_both|by_rule)\\s*,\\s*count\\s*(\\d+)\\s*,\\s*seconds\\s*(\\d+)\\s*,\\s*new_action\\s*(alert|drop|pass|log|sdrop|reject)\\s*,\\s*timeout\\s*(\\d+)\\s*$"