suricata  5.0.3
About: Suricata is a high performance Network Intrusion Detection (IDS) and Prevention (IPS) and Network Security Monitoring engine.
  Fossies Dox: suricata-5.0.3.tar.gz  ("unofficial" and yet experimental doxygen-generated source code documentation)  

Thresholding

This feature is used to reduce the number of logged alerts for noisy rules. This can be tuned to significantly reduce false alarms, and it can also be used to write a newer breed of rules. Thresholding commands limit the number of times a particular event is logged during a specified time interval. More...

Files

file  detect-engine-threshold.c
 
file  detect-threshold.c
 
file  util-threshold-config.c
 

Functions

int ThresholdHostStorageId (void)
 
void ThresholdInit (void)
 
int ThresholdHostHasThreshold (Host *host)
 
int ThresholdIPPairHasThreshold (IPPair *pair)
 
const DetectThresholdDataSigGetThresholdTypeIter (const Signature *sig, Packet *p, const SigMatchData **psm, int list)
 Return next DetectThresholdData for signature. More...
 
static DetectThresholdEntryThresholdTimeoutCheck (DetectThresholdEntry *head, struct timeval *tv)
 Remove timeout threshold hash elements. More...
 
int ThresholdHostTimeoutCheck (Host *host, struct timeval *tv)
 
int ThresholdIPPairTimeoutCheck (IPPair *pair, struct timeval *tv)
 
static DetectThresholdEntryDetectThresholdEntryAlloc (const DetectThresholdData *td, Packet *p, uint32_t sid, uint32_t gid)
 
static DetectThresholdEntryThresholdHostLookupEntry (Host *h, uint32_t sid, uint32_t gid)
 
static DetectThresholdEntryThresholdIPPairLookupEntry (IPPair *pair, uint32_t sid, uint32_t gid)
 
static int ThresholdHandlePacketSuppress (Packet *p, const DetectThresholdData *td, uint32_t sid, uint32_t gid)
 
static void RateFilterSetAction (Packet *p, PacketAlert *pa, uint8_t new_action)
 
static int IsThresholdReached (DetectThresholdEntry *lookup_tsh, const DetectThresholdData *td, uint32_t packet_time)
 Check if the entry reached threshold count limit. More...
 
static void AddEntryToHostStorage (Host *h, DetectThresholdEntry *e, uint32_t packet_time)
 
static void AddEntryToIPPairStorage (IPPair *pair, DetectThresholdEntry *e, uint32_t packet_time)
 
static int ThresholdHandlePacketIPPair (IPPair *pair, Packet *p, const DetectThresholdData *td, uint32_t sid, uint32_t gid, PacketAlert *pa)
 
static int ThresholdHandlePacketHost (Host *h, Packet *p, const DetectThresholdData *td, uint32_t sid, uint32_t gid, PacketAlert *pa)
 
static int ThresholdHandlePacketRule (DetectEngineCtx *de_ctx, Packet *p, const DetectThresholdData *td, const Signature *s, PacketAlert *pa)
 
int PacketAlertThreshold (DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const DetectThresholdData *td, Packet *p, const Signature *s, PacketAlert *pa)
 Make the threshold logic for signatures. More...
 
void ThresholdHashInit (DetectEngineCtx *de_ctx)
 Init threshold context hash tables. More...
 
void ThresholdContextDestroy (DetectEngineCtx *de_ctx)
 Destroy threshold context hash tables. More...
 
void ThresholdListFree (void *ptr)
 this function will free all the entries of a list DetectTagDataEntry More...
 

Variables

static int host_threshold_id = -1
 
static int ippair_threshold_id = -1
 

Detailed Description

This feature is used to reduce the number of logged alerts for noisy rules. This can be tuned to significantly reduce false alarms, and it can also be used to write a newer breed of rules. Thresholding commands limit the number of times a particular event is logged during a specified time interval.

Function Documentation

◆ AddEntryToHostStorage()

◆ AddEntryToIPPairStorage()

◆ DetectThresholdEntryAlloc()

◆ IsThresholdReached()

static int IsThresholdReached ( DetectThresholdEntry lookup_tsh,
const DetectThresholdData td,
uint32_t  packet_time 
)
static

Check if the entry reached threshold count limit.

Parameters
lookup_tshCurrent threshold entry
tdThreshold settings
packet_timeused to compare against previous detection and to set timeouts
Return values
int1 if threshold reached for this entry

Definition at line 336 of file detect-engine-threshold.c.

References DetectThresholdData_::count, DetectThresholdEntry_::current_count, DetectThresholdData_::seconds, DetectThresholdData_::timeout, DetectThresholdEntry_::tv_sec1, and DetectThresholdEntry_::tv_timeout.

Referenced by ThresholdHandlePacketHost(), ThresholdHandlePacketIPPair(), and ThresholdHandlePacketRule().

◆ PacketAlertThreshold()

int PacketAlertThreshold ( DetectEngineCtx de_ctx,
DetectEngineThreadCtx det_ctx,
const DetectThresholdData td,
Packet p,
const Signature s,
PacketAlert pa 
)

Make the threshold logic for signatures.

Parameters
de_ctxDectection Context
tsh_ptrThreshold element
pPacket structure
sSignature structure
Return values
2silent match (no alert but apply actions)
1alert on this event
0do not alert on this event

Definition at line 662 of file detect-engine-threshold.c.

References Packet_::dst, HostGetHostFromHash(), HostRelease(), IPPairGetIPPairFromHash(), IPPairRelease(), sock_to_gzip_file::s, SCEnter, SCMutexLock, SCMutexUnlock, SCReturnInt, Packet_::src, ThresholdCtx_::threshold_table_lock, ThresholdHandlePacketHost(), ThresholdHandlePacketIPPair(), ThresholdHandlePacketRule(), ThresholdHandlePacketSuppress(), DetectEngineCtx_::ths_ctx, DetectThresholdData_::track, TRACK_BOTH, TRACK_DST, TRACK_RULE, TRACK_SRC, DetectThresholdData_::type, and TYPE_SUPPRESS.

Referenced by PacketAlertHandle().

◆ RateFilterSetAction()

◆ SigGetThresholdTypeIter()

const DetectThresholdData* SigGetThresholdTypeIter ( const Signature sig,
Packet p,
const SigMatchData **  psm,
int  list 
)

Return next DetectThresholdData for signature.

Parameters
sigSignature pointer
pPacket structure
smPointer to a Signature Match pointer
Return values
tshReturn the threshold data from signature or NULL if not found

Definition at line 115 of file detect-engine-threshold.c.

References SigMatchData_::ctx, DETECT_DETECTION_FILTER, DETECT_THRESHOLD, SigMatchData_::is_last, list, Signature_::sm_arrays, and SigMatchData_::type.

Referenced by PacketAlertHandle().

◆ ThresholdContextDestroy()

void ThresholdContextDestroy ( DetectEngineCtx de_ctx)

Destroy threshold context hash tables.

Parameters
de_ctxDectection Context

Definition at line 722 of file detect-engine-threshold.c.

References SCFree, SCMutexDestroy, ThresholdCtx_::th_entry, ThresholdCtx_::threshold_table_lock, and DetectEngineCtx_::ths_ctx.

Referenced by DetectEngineCtxFree().

◆ ThresholdHandlePacketHost()

◆ ThresholdHandlePacketIPPair()

◆ ThresholdHandlePacketRule()

◆ ThresholdHandlePacketSuppress()

static int ThresholdHandlePacketSuppress ( Packet p,
const DetectThresholdData td,
uint32_t  sid,
uint32_t  gid 
)
static

◆ ThresholdHashInit()

void ThresholdHashInit ( DetectEngineCtx de_ctx)

Init threshold context hash tables.

Parameters
de_ctxDectection Context

Definition at line 707 of file detect-engine-threshold.c.

References SC_ERR_MEM_ALLOC, SCLogError, SCMutexInit, ThresholdCtx_::threshold_table_lock, and DetectEngineCtx_::ths_ctx.

Referenced by DetectEngineCtxInitReal().

◆ ThresholdHostHasThreshold()

int ThresholdHostHasThreshold ( Host host)

Definition at line 94 of file detect-engine-threshold.c.

References host_threshold_id, and HostGetStorageById().

Referenced by HostHostTimedOut().

◆ ThresholdHostLookupEntry()

static DetectThresholdEntry* ThresholdHostLookupEntry ( Host h,
uint32_t  sid,
uint32_t  gid 
)
static

◆ ThresholdHostStorageId()

int ThresholdHostStorageId ( void  )

Definition at line 75 of file detect-engine-threshold.c.

References host_threshold_id.

◆ ThresholdHostTimeoutCheck()

int ThresholdHostTimeoutCheck ( Host host,
struct timeval *  tv 
)

◆ ThresholdInit()

◆ ThresholdIPPairHasThreshold()

int ThresholdIPPairHasThreshold ( IPPair pair)

Definition at line 99 of file detect-engine-threshold.c.

References ippair_threshold_id, and IPPairGetStorageById().

Referenced by IPPairTimedOut().

◆ ThresholdIPPairLookupEntry()

static DetectThresholdEntry* ThresholdIPPairLookupEntry ( IPPair pair,
uint32_t  sid,
uint32_t  gid 
)
static

◆ ThresholdIPPairTimeoutCheck()

int ThresholdIPPairTimeoutCheck ( IPPair pair,
struct timeval *  tv 
)

◆ ThresholdListFree()

void ThresholdListFree ( void *  ptr)

this function will free all the entries of a list DetectTagDataEntry

Parameters
tdpointer to DetectTagDataEntryList

Definition at line 735 of file detect-engine-threshold.c.

References DetectThresholdEntry_::next, and SCFree.

Referenced by ThresholdInit().

◆ ThresholdTimeoutCheck()

static DetectThresholdEntry* ThresholdTimeoutCheck ( DetectThresholdEntry head,
struct timeval *  tv 
)
static

Remove timeout threshold hash elements.

Parameters
headCurrent head element of storage
tvCurrent time
Return values
DetectThresholdEntryReturn new head element or NULL if all expired

Definition at line 167 of file detect-engine-threshold.c.

References DetectThresholdEntry_::next, SCFree, DetectThresholdEntry_::seconds, and DetectThresholdEntry_::tv_sec1.

Referenced by ThresholdHostTimeoutCheck(), and ThresholdIPPairTimeoutCheck().

Variable Documentation

◆ host_threshold_id

◆ ippair_threshold_id

int ippair_threshold_id = -1
static