Commit Graph

10 Commits (7627756360f6153eccaa0b2d3ee2ceefcb148281)

Author SHA1 Message Date
Ofer Dagan 7627756360 detect/detection_filter: add unique_on option
Add optional unique_on {src_port|dst_port} to detection_filter for
exact distinct port counting within the seconds window.

Features:
- Runtime uses a single 64k-bit (8192 bytes) union bitmap per
  threshold entry with O(1) updates.
- Follows detection_filter semantics: alerting starts after the
  threshold (> count), not at it.
- On window expiry, the window is reset and the current packet's
  port is recorded as the first distinct of the new window.

Validation:
- unique_on requires a ported transport protocol; reject rules
  that are not tcp/udp/sctp or that use ip (protocol any).

Memory management:
- Bitmap memory is bounded by detect.thresholds.memcap.
- New counters: bitmap_memuse and bitmap_alloc_fail.

Tests:
- C unit tests for parsing, distinct counting, window reset, and
  allocation failure fallback.
- suricata-verify tests for distinct src/dst port counting.

Task #7928
3 months ago
Juliana Fajardini 907f4faff8 doc/thresholding: minor fix for backoff subsection 5 months ago
Jeff Lucovsky e9128e66e6 doc/threshold: Threshold keyword clarifications
Issue: 7129
1 year ago
Victor Julien afc318737a doc/userguide: document threshold backoff type 2 years ago
Victor Julien e362a01f8d doc/userguide: document new threshold config options 2 years ago
Victor Julien 405491c3fc detect/detection_filter: add support for track by_flow 2 years ago
Victor Julien 3f04af7c7f doc: add thresholding by_flow 2 years ago
Todd Mortimer 6b4d32c6bb doc: Update documentation for by_rule and by_both thresholds. 6 years ago
Ralph Broenink 722cff1862 doc: Restructure ToC
* All sections up to 2 levels deep are now shown regardless of whether they are a separate page
* Rename Xbits and Thresholding for more consistent naming
* Minor adjustment in the Payload Keywords section
8 years ago
Jason Ish 2751baae46 doc: rename from "sphinx" to "userguide" 10 years ago