detect/detection_filter: extend unique_on with src_ip|dst_ip - v8#15743
Open
oferda4 wants to merge 2 commits into
Open
detect/detection_filter: extend unique_on with src_ip|dst_ip - v8#15743oferda4 wants to merge 2 commits into
oferda4 wants to merge 2 commits into
Conversation
Convert DetectDetectionFilterDistinctAllocFailFallback from the old result/goto pattern to FAIL_IF/PASS macros. Ticket: 8250
Add optional unique_on {src_ip|dst_ip} to detection_filter for
distinct IP address counting within the seconds window.
Features:
- Runtime uses a hash table per threshold entry for tracking
unique IP addresses (both IPv4 and IPv6).
- Hash table is pre-sized to the count value for optimal memory usage.
- Follows detection_filter semantics: alerting starts after the
threshold (>count), not at it.
- On window expiry, the window is reset and the current packet's
IP is recorded as the first distinct of the new window.
Validation:
- unique_on src_ip/dst_ip works with any IP protocol (unlike
port-based unique_on which requires tcp/udp/sctp).
- Duplicate unique_on options are rejected with an error.
Memory management:
- Hash table memory is bounded by detect.thresholds.memcap.
- Reuses existing counters: bitmap_memuse and bitmap_alloc_fail.
- Memory counters are correctly decremented on hash table reset failure.
Refactoring:
- Added ThresholdDistinctAdd helper to consolidate port/IP
tracking logic and reduce code duplication.
Tests:
- C unit tests for parsing unique_on src_ip and dst_ip options.
Ticket: 8250
|
NOTE: This PR may contain new authors. |
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## main #15743 +/- ##
==========================================
+ Coverage 82.95% 82.97% +0.01%
==========================================
Files 1003 1003
Lines 275096 275451 +355
==========================================
+ Hits 228217 228550 +333
- Misses 46879 46901 +22
Flags with carried forward coverage won't be shown. Click here to find out more. 🚀 New features to boost your workflow:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add optional unique_on {src_ip|dst_ip} to detection_filter for distinct IP address counting within the seconds window. Features:
Runtime uses a hash table per threshold entry for tracking unique IP addresses (both IPv4 and IPv6).
Follows detection_filter semantics: alerting starts after the threshold (>count), not at it.
On window expiry, the window is reset and the current packet's IP is recorded as the first distinct of the new window. Validation:
unique_on src_ip/dst_ip works with any IP protocol (unlike port-based unique_on which requires tcp/udp/sctp). Memory management:
Hash table memory is bounded by detect.thresholds.memcap.
Reuses existing counters: bitmap_memuse and bitmap_alloc_fail. Refactoring:
Added ThresholdDistinctAdd helper to consolidate port/IP tracking logic and reduce code duplication. Tests:
C unit tests for parsing unique_on src_ip and dst_ip options.
Changes:
v2:
v3:
v4:
v5:
v6:
v7:
else iftoelsein ThresholdDistinctInit (only remaining case after port branch)v8:
Previous PR: #15194
Ticket: https://redmine.openinfosecfoundation.org/issues/8250
SV_BRANCH=OISF/suricata-verify#2924