mirror of https://github.com/OISF/suricata
You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
7627756360
Add optional unique_on {src_port|dst_port} to detection_filter for
exact distinct port counting within the seconds window.
Features:
- Runtime uses a single 64k-bit (8192 bytes) union bitmap per
threshold entry with O(1) updates.
- Follows detection_filter semantics: alerting starts after the
threshold (> count), not at it.
- On window expiry, the window is reset and the current packet's
port is recorded as the first distinct of the new window.
Validation:
- unique_on requires a ported transport protocol; reject rules
that are not tcp/udp/sctp or that use ip (protocol any).
Memory management:
- Bitmap memory is bounded by detect.thresholds.memcap.
- New counters: bitmap_memuse and bitmap_alloc_fail.
Tests:
- C unit tests for parsing, distinct counting, window reset, and
allocation failure fallback.
- suricata-verify tests for distinct src/dst port counting.
Task #7928
|
3 months ago | |
|---|---|---|
| .. | ||
| dataset-examples | ||
| dns-keywords | ||
| fast-pattern | ||
| flow-keywords | ||
| header-keywords | ||
| http-keywords | ||
| intro | ||
| normalized-buffers | ||
| payload-keywords | ||
| pcre | ||
| rule-types | ||
| app-layer.rst | ||
| base64-keywords.rst | ||
| bypass-keyword.rst | ||
| config.rst | ||
| datasets.rst | ||
| dcerpc-keywords.rst | 7 months ago | |
| decode-layer.rst | ||
| dhcp-keywords.rst | ||
| differences-from-snort.rst | ||
| dnp3-keywords.rst | 6 months ago | |
| dns-keywords.rst | 7 months ago | |
| email-keywords.rst | ||
| enip-keyword.rst | ||
| fast-pattern-explained.rst | ||
| file-keywords.rst | 6 months ago | |
| flow-keywords.rst | 4 months ago | |
| ftp-keywords.rst | ||
| header-keywords.rst | 6 months ago | |
| http-keywords.rst | 7 months ago | |
| http2-keywords.rst | 6 months ago | |
| ike-keywords.rst | ||
| index.rst | ||
| integer-keywords.rst | 6 months ago | |
| intro.rst | 5 months ago | |
| ip-reputation-rules.rst | ||
| ipaddr.rst | ||
| ja-keywords.rst | 7 months ago | |
| kerberos-keywords.rst | ||
| ldap-keywords.rst | ||
| lua-detection.rst | ||
| mdns-keywords.rst | ||
| meta.rst | ||
| modbus-keyword.rst | ||
| mqtt-keywords.rst | 6 months ago | |
| multi-buffer-matching.rst | ||
| nfs-keywords.rst | ||
| noalert.rst | ||
| payload-keywords.rst | 3 months ago | |
| pgsql-keywords.rst | ||
| prefilter-keywords.rst | ||
| quic-keywords.rst | ||
| rfb-keywords.rst | ||
| rule-types.rst | ||
| rules-internals.rst | ||
| sdp-keywords.rst | ||
| sip-keywords.rst | ||
| smb-keywords.rst | 7 months ago | |
| smtp-keywords.rst | ||
| snmp-keywords.rst | ||
| ssh-keywords.rst | ||
| tag.rst | ||
| thresholding.rst | 3 months ago | |
| tls-keywords.rst | 5 months ago | |
| transforms.rst | 4 months ago | |
| vlan-keywords.rst | ||
| websocket-keywords.rst | 6 months ago | |
| xbits.rst | 7 months ago | |