From 97c07a8ecac9d1c419baffe700555ec144b2929d Mon Sep 17 00:00:00 2001
From: Anoop Saldanha <poonaatsoc@gmail.com>
Date: Mon, 23 Apr 2012 13:46:34 +0530
Subject: [PATCH 2/5] fix detection filter.  Had one extra alert than normal previously, now fixed

---
 src/detect-engine-threshold.c |   10 +---------
 1 files changed, 1 insertions(+), 9 deletions(-)

diff --git a/src/detect-engine-threshold.c b/src/detect-engine-threshold.c
index 0023bcc..88040e8 100644
--- a/src/detect-engine-threshold.c
+++ b/src/detect-engine-threshold.c
@@ -327,7 +327,7 @@ int ThresholdHandlePacketHost(Host *h, Packet *p, DetectThresholdData *td, uint3
                     /* within timeout */
 
                     lookup_tsh->current_count++;
-                    if (lookup_tsh->current_count >= td->count) {
+                    if (lookup_tsh->current_count > td->count) {
                         ret = 1;
                     }
                 } else {
@@ -335,16 +335,8 @@ int ThresholdHandlePacketHost(Host *h, Packet *p, DetectThresholdData *td, uint3
 
                     lookup_tsh->tv_sec1 = p->ts.tv_sec;
                     lookup_tsh->current_count = 1;
-
-                    if (td->count == 1) {
-                        ret = 1;
-                    }
                 }
             } else {
-                if (td->count == 1) {
-                    ret = 1;
-                }
-
                 DetectThresholdEntry *e = DetectThresholdEntryAlloc(td, p, sid, gid);
                 if (e == NULL) {
                     break;
-- 
1.7.1