detect/detection_filter: add support for track by_flow

12 months ago · 405491c3fc
parent 3f04af7c7f
commit 405491c3fc
2 changed files with 6 additions and 3 deletions
--- a/doc/userguide/rules/thresholding.rst
+++ b/doc/userguide/rules/thresholding.rst
@ -118,7 +118,7 @@ again.

 Syntax::

-  detection_filter: track <by_src|by_dst|by_rule|by_both>, count <N>, seconds <T>
+  detection_filter: track <by_src|by_dst|by_rule|by_both|by_flow>, count <N>, seconds <T>

 Example::

--- a/src/detect-detection-filter.c
+++ b/src/detect-detection-filter.c
@ -47,8 +47,9 @@
 *\brief Regex for parsing our detection_filter options
 */
 #define PARSE_REGEX                                                                                \
-    "^\\s*(track|count|seconds)\\s+(by_src|by_dst|\\d+)\\s*,\\s*(track|count|seconds)\\s+(by_src|" \
-    "by_dst|\\d+)\\s*,\\s*(track|count|seconds)\\s+(by_src|by_dst|\\d+)\\s*$"
+    "^\\s*(track|count|seconds)\\s+(by_src|by_dst|by_flow|\\d+)\\s*,\\s*(track|count|seconds)\\s+" \
+    "(by_src|"                                                                                     \
+    "by_dst|by_flow|\\d+)\\s*,\\s*(track|count|seconds)\\s+(by_src|by_dst|by_flow|\\d+)\\s*$"

 static DetectParseRegex parse_regex;

@ -158,6 +159,8 @@ static DetectThresholdData *DetectDetectionFilterParse(const char *rawstr)
            df->track = TRACK_DST;
        if (strncasecmp(args[i], "by_src", strlen("by_src")) == 0)
            df->track = TRACK_SRC;
+        if (strncasecmp(args[i], "by_flow", strlen("by_flow")) == 0)
+            df->track = TRACK_FLOW;
        if (strncasecmp(args[i], "count", strlen("count")) == 0)
            count_pos = i + 1;
        if (strncasecmp(args[i], "seconds", strlen("seconds")) == 0)