-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Threshold flow/v8 #11029
base: master
Are you sure you want to change the base?
Threshold flow/v8 #11029
Conversation
Add support for 'by_flow' track option. This allows using the various threshold options in the context of a single flow. Example: alert tcp ... stream-event:pkt_broken_ack; \ threshold:type limit, track by_flow, count 1, seconds 3600; The example would limit the number of alerts to once per hour for packets triggering the 'pkt_broken_ack' stream event. Implemented as a special "flowvar" holding the threshold entries. This means no synchronization is required, making this a cheaper option compared to the other trackers. Ticket: OISF#6822.
Allow rate_filter and thresholds from the global config to specify tracking "by_flow".
Traffic variables (flowvars, flowbits, xbits, etc) use a smaller int for their type than detection types. As a workaround make sure the values fit in a uint8_t.
Limits propegation checked for DETECT_DEPTH as a content flag, which appears to have worked by chance. After reshuffling the keyword id's it no longer worked. This patch uses the proper flag DETECT_CONTENT_DEPTH.
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #11029 +/- ##
==========================================
+ Coverage 83.62% 83.66% +0.03%
==========================================
Files 922 922
Lines 250321 250392 +71
==========================================
+ Hits 209340 209479 +139
+ Misses 40981 40913 -68
Flags with carried forward coverage won't be shown. Click here to find out more. |
Information: QA ran without warnings. Pipeline 20525 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the work :-)
- CI : 🟠 probably just need a rebase
- Code : Checking now
- Commits segmentation : nice, maybe the commit
detect/content: fix wrong value for depth check
should come before the commits reordering keyword id's - Commit messages : nice
- Git ID set : looks fine for me
- CLA : you already contributed :-p
- Doc update : ok
- Redmine ticket : ok
- Rustfmt : not needed
- Tests : left some remarks there about readability, but fair enough for proving the suricata PR works
- Dependencies added: none
@@ -46,7 +47,7 @@ enum VarTypes { | |||
}; | |||
|
|||
typedef struct GenericVar_ { | |||
uint8_t type; | |||
uint8_t type; /**< variable type, uses detection sm_type */ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we not precise that sm_type
is u16 but the order of keywords makes it sure that we fit into an u8 ?
Should you rebase this to get green CI ? |
SV_BRANCH=OISF/suricata-verify#1822
https://redmine.openinfosecfoundation.org/issues/6822
replacing #10910, rebasing and addressing a comment