/** * \test DetectDetectionFilterTestParse06 is a test for an invalid value in detection_filter * * \retval 1 on succces * \retval 0 on failure */ int DetectDetectionFilterTestParse06 (void) { DetectThresholdData *df = NULL; df = DetectDetectionFilterParse("count 10, track by_dst, seconds 0"); if (df && (df->track == TRACK_DST) && (df->count == 10) && (df->seconds == 0)) { DetectDetectionFilterFree(df); return 1; } return 0; }
/** * \test DetectDetectionFilterTestParse02 is a test for a invalid detection_filter options * * \retval 1 on succces * \retval 0 on failure */ int DetectDetectionFilterTestParse02 (void) { DetectThresholdData *df = NULL; df = DetectDetectionFilterParse("track both,count 10,seconds 60"); if (df && (df->track == TRACK_DST || df->track == TRACK_SRC) && (df->count == 10) && (df->seconds == 60)) { DetectDetectionFilterFree(df); return 1; } return 0; }
/** * \internal * \brief this function is used to add the parsed detection_filter into the current signature * * \param de_ctx pointer to the Detection Engine Context * \param s pointer to the Current Signature * \param m pointer to the Current SigMatch * \param rawstr pointer to the user provided detection_filter options * * \retval 0 on Success * \retval -1 on Failure */ int DetectDetectionFilterSetup (DetectEngineCtx *de_ctx, Signature *s, char *rawstr) { SCEnter(); DetectThresholdData *df = NULL; SigMatch *sm = NULL; SigMatch *tmpm = NULL; /* checks if there's a previous instance of threshold */ tmpm = SigMatchGetLastSMFromLists(s, 2, DETECT_THRESHOLD, s->sm_lists_tail[DETECT_SM_LIST_MATCH]); if (tmpm != NULL) { SCLogError(SC_ERR_INVALID_SIGNATURE, "\"detection_filter\" and \"threshold\" are not allowed in the same rule"); SCReturnInt(-1); } /* checks there's no previous instance of detection_filter */ tmpm = SigMatchGetLastSMFromLists(s, 2, DETECT_DETECTION_FILTER, s->sm_lists_tail[DETECT_SM_LIST_MATCH]); if (tmpm != NULL) { SCLogError(SC_ERR_INVALID_SIGNATURE, "At most one \"detection_filter\" is allowed per rule"); SCReturnInt(-1); } df = DetectDetectionFilterParse(rawstr); if (df == NULL) goto error; sm = SigMatchAlloc(); if (sm == NULL) goto error; sm->type = DETECT_DETECTION_FILTER; sm->ctx = (SigMatchCtx *)df; SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_THRESHOLD); return 0; error: if (df) SCFree(df); if (sm) SCFree(sm); return -1; }