Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

next/508/20240628/v1 #11394

Merged
merged 30 commits into from
Jul 2, 2024
Merged

next/508/20240628/v1 #11394

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
30 commits
Select commit Hold shift + click to select a range
1fa13e4
util/var: remove printf; add assert
victorjulien Mar 1, 2024
a81b232
util/var: add comments explaining types
victorjulien Mar 4, 2024
1552f09
detect/threshold: implement tracking 'by_flow'
victorjulien Feb 27, 2024
cfd55ea
threshold: add by_flow support for global thresholds
victorjulien Mar 2, 2024
022173d
detect: group types used in traffic variables
victorjulien Mar 4, 2024
d0f3f2d
detect: group content inspect keyword id's
victorjulien Mar 5, 2024
f028648
detect/content: fix wrong value for depth check
victorjulien Mar 5, 2024
3f04af7
doc: add thresholding by_flow
victorjulien Mar 8, 2024
405491c
detect/detection_filter: add support for track by_flow
victorjulien Mar 13, 2024
c963158
detect: add ticket id to var related todos
victorjulien Mar 13, 2024
c08c81c
detect/threshold: implement per thread cache
victorjulien Sep 11, 2023
6622dc7
detect/threshold: minor cleanup
victorjulien Jan 9, 2024
ab5e045
detect/threshold: minor code cleanup
victorjulien Jan 9, 2024
3a7247b
detect/threshold: minor rate filter cleanup
victorjulien Jan 9, 2024
114fc37
detect/address: constify ipv6 cmp funcs
victorjulien Jan 9, 2024
00e1e89
thash: add expiration logic
victorjulien Jan 10, 2024
ac400af
range: use thash expiry API for timeout
victorjulien Jan 9, 2024
b8028bf
thresholds: use dedicated storage
victorjulien Jan 9, 2024
3471c0f
detect/threshold: improve hash function
victorjulien Apr 19, 2024
2be998f
detect/threshold: include rev in threshold tracking
victorjulien Apr 19, 2024
1e9fdc4
detect/threshold: consider tenant id in tracking
victorjulien Apr 19, 2024
7bcf364
detect/threshold: expand cache support for rule tracking
victorjulien Apr 19, 2024
10eaf55
detect/threshold: includes cleanup
victorjulien Apr 20, 2024
7d4fcc3
detect/threshold: make hash size and memcap configurable
victorjulien May 15, 2024
e362a01
doc/userguide: document new threshold config options
victorjulien May 15, 2024
2abe0df
detect/threshold: format file
victorjulien Jun 24, 2024
a0d515b
detect/threshold: regex cleanup
victorjulien Jun 24, 2024
12130df
detect/threshold: implement backoff type
victorjulien Jun 24, 2024
9e735fd
stream: enable backoff on event rules
victorjulien Jun 24, 2024
afc3187
doc/userguide: document threshold backoff type
victorjulien Jun 26, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 5 additions & 1 deletion doc/userguide/configuration/global-thresholds.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,9 @@ Thresholds can be configured in the rules themselves, see
their intelligence for creating a rule combined with a judgement on how often
a rule will alert.

Thresholds are tracked in a hash table that is sized according to configuration, see:
:ref:`suricata-yaml-thresholds`.

Threshold Config
----------------

Expand All @@ -20,7 +23,7 @@ Syntax:
::

threshold gen_id <gid>, sig_id <sid>, type <threshold|limit|both>, \
track <by_src|by_dst|by_rule|by_both>, count <N>, seconds <T>
track <by_src|by_dst|by_rule|by_both|by_flow>, count <N>, seconds <T>

rate_filter
~~~~~~~~~~~
Expand Down Expand Up @@ -55,6 +58,7 @@ done per IP-address. The Host table is used for storage. When using by_rule
it's done globally for the rule.
Option by_both used to track per IP pair of source and destination. Packets
going to opposite directions between same addresses tracked as the same pair.
The by_flow option tracks the rule matches in the flow.

count
^^^^^
Expand Down
16 changes: 16 additions & 0 deletions doc/userguide/configuration/suricata-yaml.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -739,6 +739,22 @@ To let Suricata make these decisions set default to 'auto':
prefilter:
default: auto

.. _suricata-yaml-thresholds:

Thresholding Settings
~~~~~~~~~~~~~~~~~~~~~

Thresholding uses a central hash table for tracking thresholds of the types: by_src, by_dst, by_both.

::

detect:
thresholds:
hash-size: 16384
memcap: 16mb

``detect.thresholds.hash-size`` controls the number of hash rows in the hash table.
``detect.thresholds.memcap`` controls how much memory can be used for the hash table and the data stored in it.

Pattern matcher settings
~~~~~~~~~~~~~~~~~~~~~~~~
Expand Down
66 changes: 64 additions & 2 deletions doc/userguide/rules/thresholding.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,9 @@ Thresholding Keywords
Thresholding can be configured per rule and also globally, see
:doc:`../configuration/global-thresholds`.

Thresholds are tracked in a hash table that is sized according to configuration, see:
:ref:`suricata-yaml-thresholds`.

*Note: mixing rule and global thresholds is not supported in 1.3 and
before. See bug #425.* For the state of the support in 1.4 see
:ref:`global-thresholds-vs-rule-thresholds`
Expand All @@ -16,7 +19,7 @@ frequency. It has 3 modes: threshold, limit and both.

Syntax::

threshold: type <threshold|limit|both>, track <by_src|by_dst|by_rule|by_both>, count <N>, seconds <T>
threshold: type <threshold|limit|both|backoff>, track <by_src|by_dst|by_rule|by_both|by_flow>, count <N>, <seconds <T>|multiplier <M>>

type "threshold"
~~~~~~~~~~~~~~~~
Expand Down Expand Up @@ -85,6 +88,65 @@ performed for each of the matches.

*Rule actions drop (IPS mode) and reject are applied to each packet.*

type "backoff"
~~~~~~~~~~~~~~

Allow limiting of alert output by using a backoff algorithm.

Syntax::

threshold: type backoff, track by_flow, count <C>, multiplier <M>;

``track``: backoff is only supported for ``by_flow``
``count``: number of alerts before the first match is logged
``multiplier``: value to multiply ``count`` with each time the next value is reached

A count of 1 with a multiplier of 10 would generate alerts for matching packets::

1, 10, 100, 1000, 10000, 100000, etc.

A count of 1 with a multiplier of 2 would generate alerts for matching packets::

1, 2, 4, 8, 16, 32, 64, etc.

A count of 5 with multiplier 5 would generate alerts for matching packets::

5, 25, 125, 625, 3125, 15625, etc

In the following example, the ``pkt_invalid_ack`` would only lead to alerts the 1st, 10th, 100th, etc.

.. container:: example-rule

alert tcp any any -> any any (stream-event:pkt_invalid_ack; \
:example-rule-options:`threshold:type backoff, track by_flow, count 1, multiplier 10;`
sid:2210045; rev:2;)

If a signature sets a flowbit, flowint, etc. those actions are still
performed for each of the matches.

*Rule actions drop (IPS mode) and reject are applied to each matching packet.*


track
~~~~~

.. table::

+------------------+--------------------------+
|Option |Tracks By |
+==================+==========================+
|by_src |source IP |
+------------------+--------------------------+
|by_dst |destination IP |
+------------------+--------------------------+
|by_both |pair of src IP and dst IP |
+------------------+--------------------------+
|by_rule |signature id |
+------------------+--------------------------+
|by_flow |flow |
+------------------+--------------------------+


detection_filter
----------------

Expand All @@ -97,7 +159,7 @@ again.

Syntax::

detection_filter: track <by_src|by_dst|by_rule|by_both>, count <N>, seconds <T>
detection_filter: track <by_src|by_dst|by_rule|by_both|by_flow>, count <N>, seconds <T>

Example::

Expand Down
Loading
Loading