From: Victor Julien Date: Mon, 24 Sep 2012 14:53:59 +0000 (+0200) Subject: threshold: allow suppression for sigs with threshold set. Part of #425. X-Git-Tag: suricata-1.4beta2~40 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=d8667448c1be1bad675d74d201320729df45fc46;p=thirdparty%2Fsuricata.git threshold: allow suppression for sigs with threshold set. Part of #425. --- diff --git a/src/util-threshold-config.c b/src/util-threshold-config.c index 9a5a941ae7..3b942fa8d9 100644 --- a/src/util-threshold-config.c +++ b/src/util-threshold-config.c @@ -558,29 +558,29 @@ int SCThresholdConfAddThresholdtype(char *rawstr, DetectEngineCtx *de_ctx) /* Install it */ if (id == 0 && gid == 0) { for (s = de_ctx->sig_list; s != NULL;) { - ns = s->next; + if (parsed_type != TYPE_SUPPRESS) { + m = SigMatchGetLastSMFromLists(s, 2, + DETECT_THRESHOLD, s->sm_lists[DETECT_SM_LIST_THRESHOLD]); - m = SigMatchGetLastSMFromLists(s, 2, - DETECT_THRESHOLD, s->sm_lists[DETECT_SM_LIST_THRESHOLD]); - - if (m != NULL) { - SCLogWarning(SC_ERR_EVENT_ENGINE, "signature sid:%"PRIu32 " has " - "an event var set. The signature event var is " - "given precedence over the threshold.conf one. " - "We'll change this in the future though.", id); - goto end; - } + if (m != NULL) { + SCLogWarning(SC_ERR_EVENT_ENGINE, "signature sid:%"PRIu32 " has " + "an event var set. The signature event var is " + "given precedence over the threshold.conf one. " + "We'll change this in the future though.", s->id); + goto end; + } - m = SigMatchGetLastSMFromLists(s, 2, - DETECT_DETECTION_FILTER, s->sm_lists[DETECT_SM_LIST_THRESHOLD]); + m = SigMatchGetLastSMFromLists(s, 2, + DETECT_DETECTION_FILTER, s->sm_lists[DETECT_SM_LIST_THRESHOLD]); - if (m != NULL) { - SCLogWarning(SC_ERR_EVENT_ENGINE, "signature sid:%"PRIu32 " has " - "an event var set. The signature event var is " - "given precedence over the threshold.conf one. " - "We'll change this in the future though.", id); - goto end; + if (m != NULL) { + SCLogWarning(SC_ERR_EVENT_ENGINE, "signature sid:%"PRIu32 " has " + "an event var set. The signature event var is " + "given precedence over the threshold.conf one. " + "We'll change this in the future though.", s->id); + goto end; + } } de = SCMalloc(sizeof(DetectThresholdData)); @@ -637,31 +637,31 @@ int SCThresholdConfAddThresholdtype(char *rawstr, DetectEngineCtx *de_ctx) } else if (id == 0 && gid > 0) { for (s = de_ctx->sig_list; s != NULL;) { - ns = s->next; if(s->gid == gid) { + if (parsed_type != TYPE_SUPPRESS) { + m = SigMatchGetLastSMFromLists(s, 2, + DETECT_THRESHOLD, s->sm_lists[DETECT_SM_LIST_THRESHOLD]); + + if (m != NULL) { + SCLogWarning(SC_ERR_EVENT_ENGINE, "signature sid:%"PRIu32 " has " + "an event var set. The signature event var is " + "given precedence over the threshold.conf one. " + "We'll change this in the future though.", id); + goto end; + } - m = SigMatchGetLastSMFromLists(s, 2, - DETECT_THRESHOLD, s->sm_lists[DETECT_SM_LIST_THRESHOLD]); - - if (m != NULL) { - SCLogWarning(SC_ERR_EVENT_ENGINE, "signature sid:%"PRIu32 " has " - "an event var set. The signature event var is " - "given precedence over the threshold.conf one. " - "We'll change this in the future though.", id); - goto end; - } - - m = SigMatchGetLastSMFromLists(s, 2, - DETECT_DETECTION_FILTER, s->sm_lists[DETECT_SM_LIST_THRESHOLD]); + m = SigMatchGetLastSMFromLists(s, 2, + DETECT_DETECTION_FILTER, s->sm_lists[DETECT_SM_LIST_THRESHOLD]); - if (m != NULL) { - SCLogWarning(SC_ERR_EVENT_ENGINE, "signature sid:%"PRIu32 " has " - "an event var set. The signature event var is " - "given precedence over the threshold.conf one. " - "We'll change this in the future though.", id); - goto end; + if (m != NULL) { + SCLogWarning(SC_ERR_EVENT_ENGINE, "signature sid:%"PRIu32 " has " + "an event var set. The signature event var is " + "given precedence over the threshold.conf one. " + "We'll change this in the future though.", id); + goto end; + } } de = SCMalloc(sizeof(DetectThresholdData)); @@ -718,9 +718,8 @@ int SCThresholdConfAddThresholdtype(char *rawstr, DetectEngineCtx *de_ctx) } } else if (id > 0 && gid == 0) { SCLogError(SC_ERR_INVALID_VALUE, "Can't use a event config that has " - "sid > 0 and gid == 0. Killing engine. Please fix this " + "sid > 0 and gid == 0. Please fix this " "in your threshold.conf file"); - exit(EXIT_FAILURE); } else { sig = SigFindSignatureBySidGid(de_ctx,id,gid); @@ -729,27 +728,28 @@ int SCThresholdConfAddThresholdtype(char *rawstr, DetectEngineCtx *de_ctx) sig->flags |= SIG_FLAG_NOALERT; goto end; } + if (parsed_type != TYPE_SUPPRESS) { + m = SigMatchGetLastSMFromLists(sig, 2, + DETECT_THRESHOLD, sig->sm_lists[DETECT_SM_LIST_THRESHOLD]); - m = SigMatchGetLastSMFromLists(sig, 2, - DETECT_THRESHOLD, sig->sm_lists[DETECT_SM_LIST_THRESHOLD]); - - if (m != NULL) { - SCLogWarning(SC_ERR_EVENT_ENGINE, "signature sid:%"PRIu32 " has " - "an event var set. The signature event var is " - "given precedence over the threshold.conf one. " - "We'll change this in the future though.", id); - goto end; - } + if (m != NULL) { + SCLogWarning(SC_ERR_EVENT_ENGINE, "signature sid:%"PRIu32 " has " + "an event var set. The signature event var is " + "given precedence over the threshold.conf one. " + "We'll change this in the future though.", id); + goto end; + } - m = SigMatchGetLastSMFromLists(sig, 2, - DETECT_DETECTION_FILTER, sig->sm_lists[DETECT_SM_LIST_THRESHOLD]); + m = SigMatchGetLastSMFromLists(sig, 2, + DETECT_DETECTION_FILTER, sig->sm_lists[DETECT_SM_LIST_THRESHOLD]); - if (m != NULL) { - SCLogWarning(SC_ERR_EVENT_ENGINE, "signature sid:%"PRIu32 " has " - "an event var set. The signature event var is " - "given precedence over the threshold.conf one. " - "We'll change this in the future though.", id); - goto end; + if (m != NULL) { + SCLogWarning(SC_ERR_EVENT_ENGINE, "signature sid:%"PRIu32 " has " + "an event var set. The signature event var is " + "given precedence over the threshold.conf one. " + "We'll change this in the future though.", id); + goto end; + } } de = SCMalloc(sizeof(DetectThresholdData));