Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature 2694 thresholds v6 #4760

Closed
wants to merge 6 commits into from
Closed

Feature 2694 thresholds v6 #4760

wants to merge 6 commits into from

Conversation

mordak
Copy link
Contributor

@mordak mordak commented Mar 31, 2020

Make sure these boxes are signed before submitting your Pull Request -- thank you.

Link to redmine ticket: https://redmine.openinfosecfoundation.org/issues/2694

Describe changes:

  • Accept by_rule and by_both in rule thresholds.
  • Add TIMEVAL convenience macros.
  • Refactor threshold application to separate threshold table storage from threshold calculation.
  • Ensure the by_rule threshold table is initialized when needed.
  • Add tests for threshold parsing and application.
  • Update docs for by_rule and by_both thresholds in rules.

Continuation of #4747

mordak added 6 commits March 30, 2020 23:36
@mordak
detect/threshold: Parse by_rule and by_both in rules.
8497433 
Also add tests for parsing them.
@mordak
time: Add TIMEVAL_EARLIER and TIMEVAL_DIFF_SEC macros.
ed84a74 
Make it easy to compare 'struct timeval's and get their difference.
@mordak
detect/threshold: Refactor threshold calculation to handle by_rule an…
8f2a257 
…d by_both.

The only difference between threshold calculations for by_src/by_dst,
by_rule or by_both is which table stores the DetectThresholdEntry.
Refactor the ThresholdHandlePacket* functions to do table lookup and
storage individually, but calculate thresholds in a common function.
@mordak
detect/threshold: Add a common function to (re)allocate the by_rule t…
297d210 
…hreshold table.

Ensure that the by_rule threshold table is initialized if a rule
is thresholded by_rule. Replace manual table reallocaton with calls
to the common function.
@mordak
detect/threshold: Add tests for thresholding by_rule and by_both.
ea22032
@mordak
doc: Update documentation for by_rule and by_both thresholds.
78b66b4
@mordak mordak requested review from norg and a team as code owners March 31, 2020 00:07
@mordak mordak mentioned this pull request Mar 31, 2020
Closed
3 tasks
jlucovsky
jlucovsky reviewed Mar 31, 2020
View reviewed changes
src/detect-engine-threshold.c

void *ptmp = SCRealloc(de_ctx->ths_ctx.th_entry, num * sizeof(DetectThresholdEntry *));
if (ptmp == NULL) {
SCLogWarning(SC_ERR_MEM_ALLOC, "Error allocating memory for rule thresholds"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please use a value prefixed with SC_WARN_ .... These are in util-error.[hc]

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I actually went looking for an appropriate SC_WARN to use here, but none of them seem to apply to something like a memory allocation failure. The only ones I can find that apply to memory allocation problems are SC_ERR, and there are examples of SCLogWarning(SC_ERR_MEM_*) in conf.c, log-pcap.c, log-tlsstore.c, and util-buffer.c, so I thought this was fine.

Would you like a new SC_WARN_MEM_ALLOC in util-error.h?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No need for that. We're considering switching to a much simpler scheme soon too.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No ... your pr looks good to me as is.

We'll address the discrepancy in a different issue.

jlucovsky
jlucovsky reviewed Mar 31, 2020
View reviewed changes
Copy link
Contributor

@jlucovsky jlucovsky left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

src/detect-engine-threshold.c

void *ptmp = SCRealloc(de_ctx->ths_ctx.th_entry, num * sizeof(DetectThresholdEntry *));
if (ptmp == NULL) {
SCLogWarning(SC_ERR_MEM_ALLOC, "Error allocating memory for rule thresholds"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No ... your pr looks good to me as is.

We'll address the discrepancy in a different issue.

@victorjulien
Copy link
Member

Running through QA.

@victorjulien
Copy link
Member

@mordak are there associated Suricata-Verify tests?

@mordak
Copy link
Contributor Author

mordak commented Apr 6, 2020

@mordak are there associated Suricata-Verify tests?

Sorry, no. I didn't know that was a thing until just now.

@victorjulien victorjulien mentioned this pull request Apr 7, 2020
Merged
@victorjulien
Copy link
Member

Merged in #4785, thanks Todd!

@victorjulien
Copy link
Member

@mordak are there associated Suricata-Verify tests?

Sorry, no. I didn't know that was a thing until just now.

If you're interested in doing a few tests, it would be great. The existing tests can serve as examples.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jlucovsky jlucovsky jlucovsky left review comments

@victorjulien victorjulien victorjulien left review comments

@norg norg Awaiting requested review from norg

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@mordak @victorjulien @jlucovsky