/**
* \retval 2 silent match (no alert but apply actions)
* \retval 1 normal match
* \retval 0 no match
*/
int ThresholdHandlePacketHost(Host *h, Packet *p, const DetectThresholdData *td,
uint32_t sid, uint32_t gid, PacketAlert *pa)
{
int ret = 0;
DetectThresholdEntry *lookup_tsh = ThresholdHostLookupEntry(h, sid, gid);
SCLogDebug("lookup_tsh %p sid %u gid %u", lookup_tsh, sid, gid);
switch(td->type) {
case TYPE_LIMIT:
{
SCLogDebug("limit");
if (lookup_tsh != NULL) {
if ((p->ts.tv_sec - lookup_tsh->tv_sec1) < td->seconds) {
lookup_tsh->current_count++;
if (lookup_tsh->current_count <= td->count) {
ret = 1;
} else {
ret = 2;
}
} else {
lookup_tsh->tv_sec1 = p->ts.tv_sec;
lookup_tsh->current_count = 1;
ret = 1;
}
} else {
DetectThresholdEntry *e = DetectThresholdEntryAlloc(td, p, sid, gid);
if (e == NULL) {
break;
}
e->tv_sec1 = p->ts.tv_sec;
e->current_count = 1;
ret = 1;
e->next = HostGetStorageById(h, threshold_id);
HostSetStorageById(h, threshold_id, e);
}
break;
}
case TYPE_THRESHOLD:
{
SCLogDebug("threshold");
if (lookup_tsh != NULL) {
if ((p->ts.tv_sec - lookup_tsh->tv_sec1) < td->seconds) {
lookup_tsh->current_count++;
if (lookup_tsh->current_count >= td->count) {
ret = 1;
lookup_tsh->current_count = 0;
}
} else {
lookup_tsh->tv_sec1 = p->ts.tv_sec;
lookup_tsh->current_count = 1;
}
} else {
if (td->count == 1) {
ret = 1;
} else {
DetectThresholdEntry *e = DetectThresholdEntryAlloc(td, p, sid, gid);
if (e == NULL) {
break;
}
e->current_count = 1;
e->tv_sec1 = p->ts.tv_sec;
e->next = HostGetStorageById(h, threshold_id);
HostSetStorageById(h, threshold_id, e);
}
}
break;
}
case TYPE_BOTH:
{
SCLogDebug("both");
if (lookup_tsh != NULL) {
if ((p->ts.tv_sec - lookup_tsh->tv_sec1) < td->seconds) {
/* within time limit */
lookup_tsh->current_count++;
if (lookup_tsh->current_count == td->count) {
ret = 1;
} else if (lookup_tsh->current_count > td->count) {
/* silent match */
ret = 2;
}
} else {
/* expired, so reset */
lookup_tsh->tv_sec1 = p->ts.tv_sec;
lookup_tsh->current_count = 1;
/* if we have a limit of 1, this is a match */
if (lookup_tsh->current_count == td->count) {
ret = 1;
}
}
} else {
DetectThresholdEntry *e = DetectThresholdEntryAlloc(td, p, sid, gid);
if (e == NULL) {
break;
}
e->current_count = 1;
e->tv_sec1 = p->ts.tv_sec;
e->next = HostGetStorageById(h, threshold_id);
HostSetStorageById(h, threshold_id, e);
/* for the first match we return 1 to
* indicate we should alert */
if (td->count == 1) {
ret = 1;
}
}
break;
}
/* detection_filter */
case TYPE_DETECTION:
{
SCLogDebug("detection_filter");
if (lookup_tsh != NULL) {
long double time_diff = ((p->ts.tv_sec + p->ts.tv_usec/1000000.0) -
(lookup_tsh->tv_sec1 + lookup_tsh->tv_usec1/1000000.0));
if (time_diff < td->seconds) {
/* within timeout */
lookup_tsh->current_count++;
if (lookup_tsh->current_count > td->count) {
ret = 1;
}
} else {
/* expired, reset */
lookup_tsh->tv_sec1 = p->ts.tv_sec;
lookup_tsh->tv_usec1 = p->ts.tv_usec;
lookup_tsh->current_count = 1;
}
} else {
DetectThresholdEntry *e = DetectThresholdEntryAlloc(td, p, sid, gid);
if (e == NULL) {
break;
}
e->current_count = 1;
e->tv_sec1 = p->ts.tv_sec;
e->tv_usec1 = p->ts.tv_usec;
e->next = HostGetStorageById(h, threshold_id);
HostSetStorageById(h, threshold_id, e);
}
break;
}
/* rate_filter */
case TYPE_RATE:
{
SCLogDebug("rate_filter");
ret = 1;
if (lookup_tsh != NULL) {
/* Check if we have a timeout enabled, if so,
* we still matching (and enabling the new_action) */
if (lookup_tsh->tv_timeout != 0) {
if ((p->ts.tv_sec - lookup_tsh->tv_timeout) > td->timeout) {
/* Ok, we are done, timeout reached */
lookup_tsh->tv_timeout = 0;
} else {
/* Already matching */
/* Take the action to perform */
RateFilterSetAction(p, pa, td->new_action);
ret = 1;
} /* else - if ((p->ts.tv_sec - lookup_tsh->tv_timeout) > td->timeout) */
} else {
/* Update the matching state with the timeout interval */
if ( (p->ts.tv_sec - lookup_tsh->tv_sec1) < td->seconds) {
lookup_tsh->current_count++;
if (lookup_tsh->current_count > td->count) {
/* Then we must enable the new action by setting a
* timeout */
lookup_tsh->tv_timeout = p->ts.tv_sec;
/* Take the action to perform */
RateFilterSetAction(p, pa, td->new_action);
ret = 1;
}
} else {
lookup_tsh->tv_sec1 = p->ts.tv_sec;
lookup_tsh->current_count = 1;
}
} /* else - if (lookup_tsh->tv_timeout != 0) */
} else {
if (td->count == 1) {
ret = 1;
}
DetectThresholdEntry *e = DetectThresholdEntryAlloc(td, p, sid, gid);
if (e == NULL) {
break;
}
e->current_count = 1;
e->tv_sec1 = p->ts.tv_sec;
e->tv_timeout = 0;
e->next = HostGetStorageById(h, threshold_id);
HostSetStorageById(h, threshold_id, e);
}
break;
}
/* case TYPE_SUPPRESS: is not handled here */
default:
SCLogError(SC_ERR_INVALID_VALUE, "type %d is not supported", td->type);
}
return ret;
}
/**
* \retval 2 silent match (no alert but apply actions)
* \retval 1 normal match
* \retval 0 no match
*/
int ThresholdHandlePacketHost(Host *h, Packet *p, DetectThresholdData *td, uint32_t sid, uint32_t gid) {
int ret = 0;
DetectThresholdEntry *lookup_tsh = ThresholdHostLookupEntry(h, sid, gid);
SCLogDebug("lookup_tsh %p sid %u gid %u", lookup_tsh, sid, gid);
switch(td->type) {
case TYPE_LIMIT:
{
SCLogDebug("limit");
if (lookup_tsh != NULL) {
if ((p->ts.tv_sec - lookup_tsh->tv_sec1) < td->seconds) {
lookup_tsh->current_count++;
if (lookup_tsh->current_count <= td->count) {
ret = 1;
} else {
ret = 2;
}
} else {
lookup_tsh->tv_sec1 = p->ts.tv_sec;
lookup_tsh->current_count = 1;
ret = 1;
}
} else {
DetectThresholdEntry *e = DetectThresholdEntryAlloc(td, p, sid, gid);
if (e == NULL) {
break;
}
e->tv_sec1 = p->ts.tv_sec;
e->current_count = 1;
ret = 1;
e->next = HostGetStorageById(h, threshold_id);
HostSetStorageById(h, threshold_id, e);
}
break;
}
case TYPE_THRESHOLD:
{
SCLogDebug("threshold");
if (lookup_tsh != NULL) {
if ((p->ts.tv_sec - lookup_tsh->tv_sec1) < td->seconds) {
lookup_tsh->current_count++;
if (lookup_tsh->current_count >= td->count) {
ret = 1;
lookup_tsh->current_count = 0;
}
} else {
lookup_tsh->tv_sec1 = p->ts.tv_sec;
lookup_tsh->current_count = 1;
}
} else {
if (td->count == 1) {
ret = 1;
} else {
DetectThresholdEntry *e = DetectThresholdEntryAlloc(td, p, sid, gid);
if (e == NULL) {
break;
}
e->current_count = 1;
e->tv_sec1 = p->ts.tv_sec;
e->next = HostGetStorageById(h, threshold_id);
HostSetStorageById(h, threshold_id, e);
}
}
break;
}
case TYPE_BOTH:
{
SCLogDebug("both");
if (lookup_tsh != NULL) {
if ((p->ts.tv_sec - lookup_tsh->tv_sec1) < td->seconds) {
/* within time limit */
lookup_tsh->current_count++;
if (lookup_tsh->current_count == td->count) {
ret = 1;
} else if (lookup_tsh->current_count > td->count) {
/* silent match */
ret = 2;
}
} else {
/* expired, so reset */
lookup_tsh->tv_sec1 = p->ts.tv_sec;
lookup_tsh->current_count = 1;
/* if we have a limit of 1, this is a match */
if (lookup_tsh->current_count == td->count) {
ret = 1;
}
}
} else {
DetectThresholdEntry *e = DetectThresholdEntryAlloc(td, p, sid, gid);
if (e == NULL) {
break;
}
e->current_count = 1;
e->tv_sec1 = p->ts.tv_sec;
e->next = HostGetStorageById(h, threshold_id);
HostSetStorageById(h, threshold_id, e);
/* for the first match we return 1 to
* indicate we should alert */
if (td->count == 1) {
ret = 1;
}
}
break;
}
/* detection_filter */
case TYPE_DETECTION:
{
SCLogDebug("detection_filter");
if (lookup_tsh != NULL) {
long double time_diff = ((p->ts.tv_sec + p->ts.tv_usec/1000000.0) -
(lookup_tsh->tv_sec1 + lookup_tsh->tv_usec1/1000000.0));
if (time_diff < td->seconds) {
/* within timeout */
lookup_tsh->current_count++;
if (lookup_tsh->current_count > td->count) {
ret = 1;
}
} else {
/* expired, reset */
lookup_tsh->tv_sec1 = p->ts.tv_sec;
lookup_tsh->tv_usec1 = p->ts.tv_usec;
lookup_tsh->current_count = 1;
}
} else {
DetectThresholdEntry *e = DetectThresholdEntryAlloc(td, p, sid, gid);
if (e == NULL) {
break;
}
e->current_count = 1;
e->tv_sec1 = p->ts.tv_sec;
e->tv_usec1 = p->ts.tv_usec;
e->next = HostGetStorageById(h, threshold_id);
HostSetStorageById(h, threshold_id, e);
}
break;
}
/* rate_filter */
case TYPE_RATE:
{
SCLogDebug("rate_filter");
ret = 1;
if (lookup_tsh != NULL) {
/* Check if we have a timeout enabled, if so,
* we still matching (and enabling the new_action) */
if (lookup_tsh->tv_timeout != 0) {
if ((p->ts.tv_sec - lookup_tsh->tv_timeout) > td->timeout) {
/* Ok, we are done, timeout reached */
lookup_tsh->tv_timeout = 0;
} else {
/* Already matching */
/* Take the action to perform */
switch (td->new_action) {
case TH_ACTION_ALERT:
PACKET_ALERT(p);
break;
case TH_ACTION_DROP:
PACKET_DROP(p);
break;
case TH_ACTION_REJECT:
PACKET_REJECT(p);
break;
case TH_ACTION_PASS:
PACKET_PASS(p);
break;
default:
/* Weird, leave the default action */
break;
}
ret = 1;
} /* else - if ((p->ts.tv_sec - lookup_tsh->tv_timeout) > td->timeout) */
} else {
/* Update the matching state with the timeout interval */
if ( (p->ts.tv_sec - lookup_tsh->tv_sec1) < td->seconds) {
lookup_tsh->current_count++;
if (lookup_tsh->current_count > td->count) {
/* Then we must enable the new action by setting a
* timeout */
lookup_tsh->tv_timeout = p->ts.tv_sec;
/* Take the action to perform */
switch (td->new_action) {
case TH_ACTION_ALERT:
PACKET_ALERT(p);
break;
case TH_ACTION_DROP:
PACKET_DROP(p);
break;
case TH_ACTION_REJECT:
PACKET_REJECT(p);
break;
case TH_ACTION_PASS:
PACKET_PASS(p);
break;
default:
/* Weird, leave the default action */
break;
}
ret = 1;
}
} else {
lookup_tsh->tv_sec1 = p->ts.tv_sec;
lookup_tsh->current_count = 1;
}
} /* else - if (lookup_tsh->tv_timeout != 0) */
} else {
if (td->count == 1) {
ret = 1;
}
DetectThresholdEntry *e = DetectThresholdEntryAlloc(td, p, sid, gid);
if (e == NULL) {
break;
}
e->current_count = 1;
e->tv_sec1 = p->ts.tv_sec;
e->tv_timeout = 0;
e->next = HostGetStorageById(h, threshold_id);
HostSetStorageById(h, threshold_id, e);
}
break;
}
case TYPE_SUPPRESS:
{
int res = 0;
switch (td->track) {
case TRACK_DST:
res = DetectAddressMatch(td->addr, &p->dst);
break;
case TRACK_SRC:
res = DetectAddressMatch(td->addr, &p->src);
break;
case TRACK_RULE:
default:
SCLogError(SC_ERR_INVALID_VALUE,
"track mode %d is not supported", td->track);
break;
}
if (res == 0)
ret = 1;
else
ret = 2; /* suppressed but still need actions */
break;
}
default:
SCLogError(SC_ERR_INVALID_VALUE, "type %d is not supported", td->type);
}
return ret;
}
