mirror of https://github.com/OISF/suricata
You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
7627756360
Add optional unique_on {src_port|dst_port} to detection_filter for
exact distinct port counting within the seconds window.
Features:
- Runtime uses a single 64k-bit (8192 bytes) union bitmap per
threshold entry with O(1) updates.
- Follows detection_filter semantics: alerting starts after the
threshold (> count), not at it.
- On window expiry, the window is reset and the current packet's
port is recorded as the first distinct of the new window.
Validation:
- unique_on requires a ported transport protocol; reject rules
that are not tcp/udp/sctp or that use ip (protocol any).
Memory management:
- Bitmap memory is bounded by detect.thresholds.memcap.
- New counters: bitmap_memuse and bitmap_alloc_fail.
Tests:
- C unit tests for parsing, distinct counting, window reset, and
allocation failure fallback.
- suricata-verify tests for distinct src/dst port counting.
Task #7928
|
3 months ago | |
|---|---|---|
| .. | ||
| doxygen | ||
| userguide | 3 months ago | |
| AUTHORS | ||
| Basic_Setup.txt | ||
| INSTALL | 7 months ago | |
| Makefile.am | 7 months ago | |
| NEWS | ||
| README | ||
| Setting_up_IPSinline_for_Linux.txt | ||
| TODO | ||
| Third_Party_Installation_Guides.txt | ||