threshold: add by_flow support for global thresholds

Allow rate_filter and thresholds from the global config to specify tracking "by_flow".
2 years ago · cfd55ead74
parent 1552f0953a
commit cfd55ead74
2 changed files with 9 additions and 2 deletions
--- a/src/detect-engine-threshold.c
+++ b/src/detect-engine-threshold.c
@ -343,6 +343,7 @@ static int ThresholdHandlePacketSuppress(Packet *p,
            }
            break;
        case TRACK_RULE:
+        case TRACK_FLOW:
        default:
            SCLogError("track mode %d is not supported", td->track);
            break;
--- a/src/util-threshold-config.c
+++ b/src/util-threshold-config.c
@ -66,11 +66,15 @@ static FILE *g_ut_threshold_fp = NULL;
 #define DETECT_BASE_REGEX "^\\s*(event_filter|threshold|rate_filter|suppress)\\s*gen_id\\s*(\\d+)\\s*,\\s*sig_id\\s*(\\d+)\\s*(.*)\\s*$"

 #define DETECT_THRESHOLD_REGEX                                                                     \
-    "^,\\s*type\\s*(limit|both|threshold)\\s*,\\s*track\\s*(by_dst|by_src|by_both|by_rule)\\s*,"   \
+    "^,\\s*type\\s*(limit|both|threshold)\\s*,\\s*track\\s*(by_dst|by_src|by_both|by_rule|by_"     \
+    "flow)\\s*,"                                                                                   \
    "\\s*count\\s*(\\d+)\\s*,\\s*seconds\\s*(\\d+)\\s*$"

 /* TODO: "apply_to" */
-#define DETECT_RATE_REGEX "^,\\s*track\\s*(by_dst|by_src|by_both|by_rule)\\s*,\\s*count\\s*(\\d+)\\s*,\\s*seconds\\s*(\\d+)\\s*,\\s*new_action\\s*(alert|drop|pass|log|sdrop|reject)\\s*,\\s*timeout\\s*(\\d+)\\s*$"
+#define DETECT_RATE_REGEX                                                                          \
+    "^,\\s*track\\s*(by_dst|by_src|by_both|by_rule|by_flow)\\s*,\\s*count\\s*(\\d+)\\s*,\\s*"      \
+    "seconds\\s*(\\d+)\\s*,\\s*new_action\\s*(alert|drop|pass|log|sdrop|reject)\\s*,\\s*"          \
+    "timeout\\s*(\\d+)\\s*$"

 /*
 * suppress has two form:
@ -793,6 +797,8 @@ static int ParseThresholdRule(const DetectEngineCtx *de_ctx, char *rawstr, uint3
            }
            else if (strcasecmp(th_track,"by_rule") == 0)
                parsed_track = TRACK_RULE;
+            else if (strcasecmp(th_track, "by_flow") == 0)
+                parsed_track = TRACK_FLOW;
            else {
                SCLogError("Invalid track parameter %s in %s", th_track, rawstr);
                goto error;