From 0b9d529400454d854e039e4092981ad08b2c8d0b Mon Sep 17 00:00:00 2001 From: Anoop Saldanha Date: Mon, 23 Apr 2012 19:03:44 +0530 Subject: [PATCH 3/5] considering the tenths of a seconds in a packet, when calculating thresholds --- src/detect-engine-threshold.c | 7 ++++++- src/detect-threshold.h | 1 + 2 files changed, 7 insertions(+), 1 deletions(-) diff --git a/src/detect-engine-threshold.c b/src/detect-engine-threshold.c index 88040e8..f672157 100644 --- a/src/detect-engine-threshold.c +++ b/src/detect-engine-threshold.c @@ -323,7 +323,10 @@ int ThresholdHandlePacketHost(Host *h, Packet *p, DetectThresholdData *td, uint3 SCLogDebug("detection_filter"); if (lookup_tsh != NULL) { - if ((p->ts.tv_sec - lookup_tsh->tv_sec1) < td->seconds) { + long double time_diff = ((p->ts.tv_sec + p->ts.tv_usec/1000000.0) - + (lookup_tsh->tv_sec1 + lookup_tsh->tv_usec1/1000000.0)); + + if (time_diff < td->seconds) { /* within timeout */ lookup_tsh->current_count++; @@ -334,6 +337,7 @@ int ThresholdHandlePacketHost(Host *h, Packet *p, DetectThresholdData *td, uint3 /* expired, reset */ lookup_tsh->tv_sec1 = p->ts.tv_sec; + lookup_tsh->tv_usec1 = p->ts.tv_usec; lookup_tsh->current_count = 1; } } else { @@ -344,6 +348,7 @@ int ThresholdHandlePacketHost(Host *h, Packet *p, DetectThresholdData *td, uint3 e->current_count = 1; e->tv_sec1 = p->ts.tv_sec; + e->tv_usec1 = p->ts.tv_usec; e->next = h->threshold; h->threshold = e; diff --git a/src/detect-threshold.h b/src/detect-threshold.h index e71bcb9..c51d4f5 100644 --- a/src/detect-threshold.h +++ b/src/detect-threshold.h @@ -71,6 +71,7 @@ typedef struct DetectThresholdEntry_ { its not "seconds", that define the time interval */ uint32_t seconds; /**< Event seconds */ uint32_t tv_sec1; /**< Var for time control */ + uint32_t tv_usec1; /**< Var for time control */ uint32_t current_count; /**< Var for count control */ int track; /**< Track type: by_src, by_src */ -- 1.7.1