Bug #2258: rate_filter inconsistency: triggered after "count" detections when by_rule, and after count+1 detections when by_src/by_dst. - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #2258

closed

rate_filter inconsistency: triggered after "count" detections when by_rule, and after count+1 detections when by_src/by_dst.

Added by Ruslan Usmanov almost 7 years ago. Updated over 6 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Ruslan Usmanov

Target version:

4.1beta1

Affected Versions:

Effort:

Difficulty:

Label:

Description

When I trying to rate_filter by rule, the filter triggered on "count" detections. When I change rate_filter to by src/dst, program allows one more detection before triggering the filter.
In function ThresholdHandlePacketRule() (used on by_rule), event filtered when current_count >= td->count , but in corresponding code in function ThresholdHandlePacketHost() (used on by src/dst), event triggered when current_count > td->count.
This situation leads to inconsistency.

History
Notes
Property changes

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Bug #2258

rate_filter inconsistency: triggered after "count" detections when by_rule, and after count+1 detections when by_src/by_dst.

Updated by Andreas Herz almost 7 years ago

Updated by Ruslan Usmanov almost 7 years ago

Updated by Victor Julien almost 7 years ago

Updated by Ruslan Usmanov almost 7 years ago

Updated by Victor Julien over 6 years ago