threshold: add by_flow support for global thresholds

Allow rate_filter and thresholds from the global config to specify tracking "by_flow".
OISF · Mar 2, 2024 · aa462a8 · aa462a8
1 parent f028db7
commit aa462a8
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 2 deletions.
diff --git a/src/detect-engine-threshold.c b/src/detect-engine-threshold.c
@@ -342,6 +342,7 @@ static int ThresholdHandlePacketSuppress(Packet *p,
             }
             break;
         case TRACK_RULE:
+        case TRACK_FLOW:
         default:
             SCLogError("track mode %d is not supported", td->track);
             break;

diff --git a/src/util-threshold-config.c b/src/util-threshold-config.c
@@ -67,11 +67,15 @@ static FILE *g_ut_threshold_fp = NULL;
 #define DETECT_BASE_REGEX "^\\s*(event_filter|threshold|rate_filter|suppress)\\s*gen_id\\s*(\\d+)\\s*,\\s*sig_id\\s*(\\d+)\\s*(.*)\\s*$"
 
 #define DETECT_THRESHOLD_REGEX                                                                     \
-    "^,\\s*type\\s*(limit|both|threshold)\\s*,\\s*track\\s*(by_dst|by_src|by_both|by_rule)\\s*,"   \
+    "^,\\s*type\\s*(limit|both|threshold)\\s*,\\s*track\\s*(by_dst|by_src|by_both|by_rule|by_"     \
+    "flow)\\s*,"                                                                                   \
     "\\s*count\\s*(\\d+)\\s*,\\s*seconds\\s*(\\d+)\\s*$"
 
 /* TODO: "apply_to" */
-#define DETECT_RATE_REGEX "^,\\s*track\\s*(by_dst|by_src|by_both|by_rule)\\s*,\\s*count\\s*(\\d+)\\s*,\\s*seconds\\s*(\\d+)\\s*,\\s*new_action\\s*(alert|drop|pass|log|sdrop|reject)\\s*,\\s*timeout\\s*(\\d+)\\s*$"
+#define DETECT_RATE_REGEX                                                                          \
+    "^,\\s*track\\s*(by_dst|by_src|by_both|by_rule|by_flow)\\s*,\\s*count\\s*(\\d+)\\s*,\\s*"      \
+    "seconds\\s*(\\d+)\\s*,\\s*new_action\\s*(alert|drop|pass|log|sdrop|reject)\\s*,\\s*"          \
+    "timeout\\s*(\\d+)\\s*$"
 
 /*
  * suppress has two form:
@@ -796,6 +800,8 @@ static int ParseThresholdRule(const DetectEngineCtx *de_ctx, char *rawstr, uint3
             }
             else if (strcasecmp(th_track,"by_rule") == 0)
                 parsed_track = TRACK_RULE;
+            else if (strcasecmp(th_track, "by_flow") == 0)
+                parsed_track = TRACK_FLOW;
             else {
                 SCLogError("Invalid track parameter %s in %s", th_track, rawstr);
                 goto error;