thresholds: fix issues with host based thresholds

The flow manager thread (that also runs the host cleanup code) would sometimes free a host before it's thresholds are timed out. This would lead to misdetection or too many alerts. This was mostly (only?) visible on slower systems. And was caused by a mismatch between time concepts of the async flow manager thread and the packet threads, resulting in the flow manager using a timestamp that was before the threshold entry creation ts. This would lead to an integer underflow in the timeout check, leading to a incorrect conclusion that the threshold entry was timed out. To address this, check if the 'check' timestamp is not before the creation timestamp.
7 years ago · 2b9d242033
parent 660c1de7ba
commit 2b9d242033
1 changed files with 4 additions and 1 deletions
--- a/src/detect-engine-threshold.c
+++ b/src/detect-engine-threshold.c
@ -160,7 +160,10 @@ int ThresholdTimeoutCheck(Host *host, struct timeval *tv)

    prev = NULL;
    while (tmp != NULL) {
-        if ((tv->tv_sec - tmp->tv_sec1) <= tmp->seconds) {
+        /* check if the 'check' timestamp is not before the creation ts.
+         * This can happen due to the async nature of the host timeout
+         * code that also calls this code from a management thread. */
+        if (((uint32_t)tv->tv_sec < tmp->tv_sec1) || (tv->tv_sec - tmp->tv_sec1) <= tmp->seconds) {
            prev = tmp;
            tmp = tmp->next;
            retval = 0;