From ff9a01ee1b63452d1b047f9bcc7522e3ab1eda10 Mon Sep 17 00:00:00 2001 From: Jeff Lucovsky Date: Wed, 4 Mar 2020 09:35:54 -0500 Subject: [PATCH] detect/threshold: Don't allow duplicates This commit detects duplicate threshold rule options. When duplicates are found in a rule, an error message is displayed and the rule is rejected. --- src/detect-threshold.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/src/detect-threshold.c b/src/detect-threshold.c index 505d9459b7..356160e150 100644 --- a/src/detect-threshold.c +++ b/src/detect-threshold.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2007-2013 Open Information Security Foundation +/* Copyright (C) 2007-2020 Open Information Security Foundation * * You can copy, redistribute or modify this Program under the terms of * the GNU General Public License version 2 as published by the Free @@ -229,10 +229,15 @@ static int DetectThresholdSetup(DetectEngineCtx *de_ctx, Signature *s, const cha SigMatch *tmpm = NULL; /* checks if there is a previous instance of detection_filter */ - tmpm = DetectGetLastSMFromLists(s, DETECT_DETECTION_FILTER, -1); + tmpm = DetectGetLastSMFromLists(s, DETECT_THRESHOLD, DETECT_DETECTION_FILTER, -1); if (tmpm != NULL) { - SCLogError(SC_ERR_INVALID_SIGNATURE, "\"detection_filter\" and " - "\"threshold\" are not allowed in the same rule"); + if (tmpm->type == DETECT_DETECTION_FILTER) { + SCLogError(SC_ERR_INVALID_SIGNATURE, "\"detection_filter\" and " + "\"threshold\" are not allowed in the same rule"); + } else { + SCLogError(SC_ERR_INVALID_SIGNATURE, "multiple \"threshold\" " + "options are not allowed in the same rule"); + } SCReturnInt(-1); } -- 2.47.2