suricata
util-threshold-config.c File Reference
Thresholding
#include "suricata-common.h"
#include "action-globals.h"
#include "host.h"
#include "ippair.h"
#include "detect.h"
#include "detect-engine.h"
#include "detect-engine-address.h"
#include "detect-engine-threshold.h"
#include "detect-threshold.h"
#include "detect-parse.h"
#include "detect-engine-build.h"
#include "conf.h"
#include "util-threshold-config.h"
#include "util-unittest.h"
#include "util-unittest-helper.h"
#include "util-byte.h"
#include "util-time.h"
#include "util-debug.h"
#include "util-fmemopen.h"
#include "detect-engine-alert.h"
#include "packet.h"
Include dependency graph for util-threshold-config.c:

Go to the source code of this file.

#define DETECT_BASE_REGEX   "^\\s*(event_filter|threshold|rate_filter|suppress)\\s*gen_id\\s*(\\d+)\\s*,\\s*sig_id\\s*(\\d+)\\s*(.*)\\s*$"
 
#define DETECT_THRESHOLD_REGEX
 
#define DETECT_RATE_REGEX
 
#define DETECT_SUPPRESS_REGEX   "^,\\s*track\\s*(by_dst|by_src|by_either)\\s*,\\s*ip\\s*([\\[\\],\\$\\s\\da-zA-Z.:/_]+)*\\s*$"
 
#define THRESHOLD_CONF_DEF_CONF_FILEPATH   CONFIG_DIR "/threshold.config"
 
enum  ThresholdRuleType { THRESHOLD_TYPE_EVENT_FILTER , THRESHOLD_TYPE_THRESHOLD , THRESHOLD_TYPE_RATE , THRESHOLD_TYPE_SUPPRESS }
 
typedef enum ThresholdRuleType ThresholdRuleType
 
void SCThresholdConfGlobalInit (void)
 
int SCThresholdConfInitContext (DetectEngineCtx *de_ctx)
 Inits the context to be used by the Threshold Config parsing API.
 
int SCThresholdConfParseFile (DetectEngineCtx *de_ctx, FILE *fp)
 Parses the Threshold Config file.
 
void SCThresholdConfRegisterTests (void)
 This function registers unit tests for Classification Config API.
 

Detailed Description

Author
Breno Silva Pinto breno.nosp@m..sil.nosp@m.va@gm.nosp@m.ail..nosp@m.com

Implements Threshold support

Definition in file util-threshold-config.c.

Macro Definition Documentation

◆ DETECT_BASE_REGEX

#define DETECT_BASE_REGEX   "^\\s*(event_filter|threshold|rate_filter|suppress)\\s*gen_id\\s*(\\d+)\\s*,\\s*sig_id\\s*(\\d+)\\s*(.*)\\s*$"

Definition at line 67 of file util-threshold-config.c.

◆ DETECT_RATE_REGEX

#define DETECT_RATE_REGEX
Value:
"^,\\s*track\\s*(by_dst|by_src|by_both|by_rule|by_flow)\\s*,\\s*count\\s*(\\d+)\\s*,\\s*" \
"seconds\\s*(\\d+)\\s*,\\s*new_action\\s*(alert|drop|pass|log|sdrop|reject)\\s*,\\s*" \
"timeout\\s*(\\d+)\\s*$"

Definition at line 75 of file util-threshold-config.c.

◆ DETECT_SUPPRESS_REGEX

#define DETECT_SUPPRESS_REGEX   "^,\\s*track\\s*(by_dst|by_src|by_either)\\s*,\\s*ip\\s*([\\[\\],\\$\\s\\da-zA-Z.:/_]+)*\\s*$"

Definition at line 86 of file util-threshold-config.c.

◆ DETECT_THRESHOLD_REGEX

#define DETECT_THRESHOLD_REGEX
Value:
"^,\\s*type\\s*(limit|both|threshold)\\s*,\\s*track\\s*(by_dst|by_src|by_both|by_rule|by_" \
"flow)\\s*," \
"\\s*count\\s*(\\d+)\\s*,\\s*seconds\\s*(\\d+)\\s*$"

Definition at line 69 of file util-threshold-config.c.

◆ THRESHOLD_CONF_DEF_CONF_FILEPATH

#define THRESHOLD_CONF_DEF_CONF_FILEPATH   CONFIG_DIR "/threshold.config"

Definition at line 92 of file util-threshold-config.c.

Typedef Documentation

◆ ThresholdRuleType

typedef enum ThresholdRuleType ThresholdRuleType

Enumeration Type Documentation

◆ ThresholdRuleType

enum ThresholdRuleType
Enumerator
THRESHOLD_TYPE_EVENT_FILTER 
THRESHOLD_TYPE_THRESHOLD 
THRESHOLD_TYPE_RATE 
THRESHOLD_TYPE_SUPPRESS 

Definition at line 54 of file util-threshold-config.c.

Function Documentation

◆ SCThresholdConfGlobalInit()

void SCThresholdConfGlobalInit ( void  )

Definition at line 102 of file util-threshold-config.c.

References DETECT_BASE_REGEX, DETECT_RATE_REGEX, DETECT_SUPPRESS_REGEX, DETECT_THRESHOLD_REGEX, DetectSetupPCRE2(), and FatalError.

Referenced by GlobalsInitPreConfig().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ SCThresholdConfInitContext()

int SCThresholdConfInitContext ( DetectEngineCtx de_ctx)

Inits the context to be used by the Threshold Config parsing API. 

   This function initializes the hash table to be used by the Detection
   Engine Context to hold the data from the threshold.config file,
   obtains the file desc to parse the threshold.config file, and
   inits the regex used to parse the lines from threshold.config
   file.
Parameters
de_ctxPointer to the Detection Engine Context.
Return values
0On success.
-1On failure.

Definition at line 169 of file util-threshold-config.c.

References de_ctx, RUNMODE_CONF_TEST, SCLogDebug, SCLogWarning, SCRunmodeGet(), and SCThresholdConfParseFile().

Referenced by SigLoadSignatures().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ SCThresholdConfParseFile()

int SCThresholdConfParseFile ( DetectEngineCtx de_ctx,
FILE *  fp 
)

Parses the Threshold Config file.

Parameters
de_ctxPointer to the Detection Engine Context.
fdPointer to file descriptor.

Definition at line 983 of file util-threshold-config.c.

References DetectEngineCtx_::config_prefix, de_ctx, RUNMODE_CONF_TEST, SCLogDebug, SCLogInfo, SCRunmodeGet(), and DetectEngineCtx_::tenant_id.

Referenced by SCThresholdConfInitContext().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ SCThresholdConfRegisterTests()

void SCThresholdConfRegisterTests ( void  )

This function registers unit tests for Classification Config API.

Definition at line 2580 of file util-threshold-config.c.

References UtRegisterTest().

Here is the call graph for this function: