/** * \internal * \brief this function is used to add the parsed threshold into the current signature * * \param de_ctx pointer to the Detection Engine Context * \param s pointer to the Current Signature * \param rawstr pointer to the user provided threshold options * * \retval 0 on Success * \retval -1 on Failure */ static int DetectThresholdSetup (DetectEngineCtx *de_ctx, Signature *s, char *rawstr) { DetectThresholdData *de = NULL; SigMatch *sm = NULL; SigMatch *tmpm = NULL; /* checks if there is a previous instance of detection_filter */ tmpm = SigMatchGetLastSM(s->sm_lists[DETECT_SM_LIST_MATCH], DETECT_DETECTION_FILTER); if (tmpm != NULL) { SCLogError(SC_ERR_INVALID_SIGNATURE, "\"detection_filter\" and \"threshold\" are not allowed in the same rule"); SCReturnInt(-1); } de = DetectThresholdParse(rawstr); if (de == NULL) goto error; sm = SigMatchAlloc(); if (sm == NULL) goto error; sm->type = DETECT_THRESHOLD; sm->ctx = (void *)de; SigMatchAppendPacket(s, sm); return 0; error: if (de) SCFree(de); if (sm) SCFree(sm); return -1; }
/** * \internal * \brief Apply the prefilter keyword to the last match * \param det_ctx detection engine ctx * \param s signature * \param nullstr should be null * \retval 0 ok * \retval -1 failure */ static int DetectPrefilterSetup (DetectEngineCtx *de_ctx, Signature *s, char *nullstr) { SCEnter(); SigMatch *sm = NULL; int ret = -1; if (nullstr != NULL) { SCLogError(SC_ERR_INVALID_VALUE, "prefilter has value"); goto end; } if (s->flags & SIG_FLAG_PREFILTER) { SCLogError(SC_ERR_INVALID_SIGNATURE, "prefilter already set"); goto end; } sm = SigMatchGetLastSM(s); if (sm == NULL) { SCLogError(SC_ERR_INVALID_SIGNATURE, "prefilter needs preceding match"); goto end; } s->prefilter_sm = sm; s->flags |= SIG_FLAG_PREFILTER; /* if the sig match is content, prefilter should act like * 'fast_pattern' w/o options. */ if (sm->type == DETECT_CONTENT) { DetectContentData *cd = (DetectContentData *)sm->ctx; if ((cd->flags & DETECT_CONTENT_NEGATED) && ((cd->flags & DETECT_CONTENT_DISTANCE) || (cd->flags & DETECT_CONTENT_WITHIN) || (cd->flags & DETECT_CONTENT_OFFSET) || (cd->flags & DETECT_CONTENT_DEPTH))) { SCLogError(SC_ERR_INVALID_SIGNATURE, "prefilter; cannot be " "used with negated content, along with relative modifiers"); goto end; } cd->flags |= DETECT_CONTENT_FAST_PATTERN; } ret = 0; end: SCReturnInt(ret); }