From 4c3e17d4abcc7d07dd3ff8f77bf06d6740adcc39 Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Sat, 5 Jun 2010 20:01:15 +0200 Subject: [PATCH] Fix thresholding issues. --- src/decode-ipv4.c | 16 +++++++++------- src/decode-ipv6.c | 16 +++++++++------- src/detect-engine-threshold.c | 24 +++++++++++++++--------- src/detect-threshold.h | 16 ++++++---------- 4 files changed, 39 insertions(+), 33 deletions(-) diff --git a/src/decode-ipv4.c b/src/decode-ipv4.c index e53712c279..fffaf87290 100644 --- a/src/decode-ipv4.c +++ b/src/decode-ipv4.c @@ -522,13 +522,15 @@ void DecodeIPV4(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt, /* do hdr test, process hdr rules */ #ifdef DEBUG - /* debug print */ - char s[16], d[16]; - inet_ntop(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), s, sizeof(s)); - inet_ntop(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), d, sizeof(d)); - SCLogDebug("IPV4 %s->%s PROTO: %" PRIu32 " OFFSET: %" PRIu32 " RF: %" PRIu32 " DF: %" PRIu32 " MF: %" PRIu32 " ID: %" PRIu32 "", s,d, - IPV4_GET_IPPROTO(p), IPV4_GET_IPOFFSET(p), IPV4_GET_RF(p), - IPV4_GET_DF(p), IPV4_GET_MF(p), IPV4_GET_IPID(p)); + if (SCLogDebugEnabled()) { /* only convert the addresses if debug is really enabled */ + /* debug print */ + char s[16], d[16]; + inet_ntop(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), s, sizeof(s)); + inet_ntop(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), d, sizeof(d)); + SCLogDebug("IPV4 %s->%s PROTO: %" PRIu32 " OFFSET: %" PRIu32 " RF: %" PRIu32 " DF: %" PRIu32 " MF: %" PRIu32 " ID: %" PRIu32 "", s,d, + IPV4_GET_IPPROTO(p), IPV4_GET_IPOFFSET(p), IPV4_GET_RF(p), + IPV4_GET_DF(p), IPV4_GET_MF(p), IPV4_GET_IPID(p)); + } #endif /* DEBUG */ /* check what next decoder to invoke */ diff --git a/src/decode-ipv6.c b/src/decode-ipv6.c index 8d34a3d36d..870062c766 100644 --- a/src/decode-ipv6.c +++ b/src/decode-ipv6.c @@ -421,13 +421,15 @@ void DecodeIPV6(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt, } #ifdef DEBUG - /* debug print */ - char s[46], d[46]; - inet_ntop(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), s, sizeof(s)); - inet_ntop(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), d, sizeof(d)); - SCLogDebug("IPV6 %s->%s - CLASS: %" PRIu32 " FLOW: %" PRIu32 " NH: %" PRIu32 " PLEN: %" PRIu32 " HLIM: %" PRIu32 "", s,d, - IPV6_GET_CLASS(p), IPV6_GET_FLOW(p), IPV6_GET_NH(p), IPV6_GET_PLEN(p), - IPV6_GET_HLIM(p)); + if (SCLogDebugEnabled()) { /* only convert the addresses if debug is really enabled */ + /* debug print */ + char s[46], d[46]; + inet_ntop(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), s, sizeof(s)); + inet_ntop(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), d, sizeof(d)); + SCLogDebug("IPV6 %s->%s - CLASS: %" PRIu32 " FLOW: %" PRIu32 " NH: %" PRIu32 " PLEN: %" PRIu32 " HLIM: %" PRIu32 "", s,d, + IPV6_GET_CLASS(p), IPV6_GET_FLOW(p), IPV6_GET_NH(p), IPV6_GET_PLEN(p), + IPV6_GET_HLIM(p)); + } #endif /* DEBUG */ /* now process the Ext headers and/or the L4 Layer */ diff --git a/src/detect-engine-threshold.c b/src/detect-engine-threshold.c index 027a983691..d1d21282d2 100644 --- a/src/detect-engine-threshold.c +++ b/src/detect-engine-threshold.c @@ -164,35 +164,41 @@ DetectThresholdEntry *ThresholdHashSearch(DetectEngineCtx *de_ctx, DetectThresho static inline void ThresholdTimeoutRemove(DetectEngineCtx *de_ctx, struct timeval *tv) { - HashListTableBucket *next = HashListTableGetListHead(de_ctx->ths_ctx.threshold_hash_table_src); - for ( ; next != NULL; next = HashListTableGetListNext(next)) { - DetectThresholdEntry *tsh = HashListTableGetListData(next); + HashListTableBucket *next = NULL; + HashListTableBucket *buck = HashListTableGetListHead(de_ctx->ths_ctx.threshold_hash_table_src); + while (buck != NULL) { + /* get the next before we free "buck" */ + next = HashListTableGetListNext(buck); + + DetectThresholdEntry *tsh = HashListTableGetListData(buck); if (tsh == NULL) - continue; + goto next; if ((tv->tv_sec - tsh->tv_sec1) <= tsh->seconds) - continue; + goto next; switch(tsh->ipv) { case 4: - if (tsh->type == TRACK_SRC) { + if (tsh->track == TRACK_SRC) { HashListTableRemove(de_ctx->ths_ctx.threshold_hash_table_src, tsh, sizeof(DetectThresholdEntry)); - } else if (tsh->type == TRACK_DST) { + } else if (tsh->track == TRACK_DST) { HashListTableRemove(de_ctx->ths_ctx.threshold_hash_table_dst, tsh, sizeof(DetectThresholdEntry)); } break; case 6: - if (tsh->type == TRACK_SRC) { + if (tsh->track == TRACK_SRC) { HashListTableRemove(de_ctx->ths_ctx.threshold_hash_table_src_ipv6, tsh, sizeof(DetectThresholdEntry)); - } else if (tsh->type == TRACK_DST) { + } else if (tsh->track == TRACK_DST) { HashListTableRemove(de_ctx->ths_ctx.threshold_hash_table_dst_ipv6, tsh, sizeof(DetectThresholdEntry)); } break; } + next: + buck = next; } return; diff --git a/src/detect-threshold.h b/src/detect-threshold.h index 86b537430c..d72a8845dd 100644 --- a/src/detect-threshold.h +++ b/src/detect-threshold.h @@ -42,27 +42,23 @@ */ typedef struct DetectThresholdData_ { - uint8_t type; /**< Threshold type : limit , threshold, both, detection_filter */ - uint8_t track; /**< Track type: by_src, by_src */ uint32_t count; /**< Event count */ uint32_t seconds; /**< Event seconds */ uint32_t sid; /**< Signature id */ uint8_t gid; /**< Signature group id */ - uint8_t ipv; /**< Packet ip version */ + uint8_t type; /**< Threshold type : limit , threshold, both, detection_filter */ + uint8_t track; /**< Track type: by_src, by_dst */ } DetectThresholdData; typedef struct DetectThresholdEntry_ { - uint8_t type; /**< Threshold type : limit , threshold, both */ - uint8_t track; /**< Track type: by_src, by_src */ uint32_t seconds; /**< Event seconds */ uint32_t sid; /**< Signature id */ - uint8_t gid; /**< Signature group id */ - uint8_t ipv; /**< Packet ip version */ - - Address addr; /**< Var used to store dst or src addr */ - uint32_t tv_sec1; /**< Var for time control */ uint32_t current_count; /**< Var for count control */ + Address addr; /**< Var used to store dst or src addr */ + uint8_t gid; /**< Signature group id */ + uint8_t ipv; /**< Packet ip version */ + uint8_t track; /**< Track type: by_src, by_src */ } DetectThresholdEntry;