From 52bcda08decd12ca61be8b30e22f7473b096c495 Mon Sep 17 00:00:00 2001
From: Anoop Saldanha <poonaatsoc@gmail.com>
Date: Fri, 29 Jun 2012 22:40:02 +0530
Subject: [PATCH] bug #455 - Warn users on signature event vars having precedence over threshold.conf ones

---
 src/util-error.c            |    2 +-
 src/util-error.h            |    1 +
 src/util-threshold-config.c |   47 +++++++++++++++++++++++++++++++++++++-----
 3 files changed, 43 insertions(+), 7 deletions(-)

diff --git a/src/util-error.c b/src/util-error.c
index f2ea271..d87694e 100644
--- a/src/util-error.c
+++ b/src/util-error.c
@@ -230,7 +230,7 @@ const char * SCErrorToString(SCError err)
         CASE_CODE (SC_ERR_MEM_BUFFER_API);
         CASE_CODE (SC_ERR_INVALID_MD5);
         CASE_CODE (SC_ERR_NO_MD5_SUPPORT);
-
+        CASE_CODE (SC_ERR_EVENT_ENGINE);
         default:
             return "UNKNOWN_ERROR";
     }
diff --git a/src/util-error.h b/src/util-error.h
index d36b6f9..a8e3750 100644
--- a/src/util-error.h
+++ b/src/util-error.h
@@ -244,6 +244,7 @@ typedef enum {
     SC_ERR_MEM_BUFFER_API,
     SC_ERR_INVALID_MD5,
     SC_ERR_NO_MD5_SUPPORT,
+    SC_ERR_EVENT_ENGINE,
 } SCError;
 
 const char *SCErrorToString(SCError);
diff --git a/src/util-threshold-config.c b/src/util-threshold-config.c
index 084ea58..f061921 100644
--- a/src/util-threshold-config.c
+++ b/src/util-threshold-config.c
@@ -560,14 +560,24 @@ int SCThresholdConfAddThresholdtype(char *rawstr, DetectEngineCtx *de_ctx)
             m = SigMatchGetLastSMFromLists(s, 2,
                                            DETECT_THRESHOLD, s->sm_lists[DETECT_SM_LIST_THRESHOLD]);
 
-            if(m != NULL)
+            if (m != NULL) {
+                SCLogWarning(SC_ERR_EVENT_ENGINE, "signature sid:%"PRIu32 " has "
+                             "an event var set.  The signature event var is "
+                             "given precedence over the threshold.conf one.  "
+                             "We'll change this in the future though.", id);
                 goto end;
+            }
 
             m = SigMatchGetLastSMFromLists(s, 2,
                                            DETECT_DETECTION_FILTER, s->sm_lists[DETECT_SM_LIST_THRESHOLD]);
 
-            if(m != NULL)
+            if (m != NULL) {
+                SCLogWarning(SC_ERR_EVENT_ENGINE, "signature sid:%"PRIu32 " has "
+                             "an event var set.  The signature event var is "
+                             "given precedence over the threshold.conf one.  "
+                             "We'll change this in the future though.", id);
                 goto end;
+            }
 
             de = SCMalloc(sizeof(DetectThresholdData));
             if (de == NULL)
@@ -631,14 +641,24 @@ int SCThresholdConfAddThresholdtype(char *rawstr, DetectEngineCtx *de_ctx)
                 m = SigMatchGetLastSMFromLists(s, 2,
                                                DETECT_THRESHOLD, s->sm_lists[DETECT_SM_LIST_THRESHOLD]);
 
-                if(m != NULL)
+                if (m != NULL) {
+                    SCLogWarning(SC_ERR_EVENT_ENGINE, "signature sid:%"PRIu32 " has "
+                                 "an event var set.  The signature event var is "
+                                 "given precedence over the threshold.conf one.  "
+                                 "We'll change this in the future though.", id);
                     goto end;
+                }
 
                 m = SigMatchGetLastSMFromLists(s, 2,
                                                DETECT_DETECTION_FILTER, s->sm_lists[DETECT_SM_LIST_THRESHOLD]);
 
-                if(m != NULL)
+                if (m != NULL) {
+                    SCLogWarning(SC_ERR_EVENT_ENGINE, "signature sid:%"PRIu32 " has "
+                                 "an event var set.  The signature event var is "
+                                 "given precedence over the threshold.conf one.  "
+                                 "We'll change this in the future though.", id);
                     goto end;
+                }
 
                 de = SCMalloc(sizeof(DetectThresholdData));
                 if (de == NULL)
@@ -692,6 +712,11 @@ int SCThresholdConfAddThresholdtype(char *rawstr, DetectEngineCtx *de_ctx)
             }
             s = ns;
         }
+    } else if (id > 0 && gid == 0) {
+        SCLogError(SC_ERR_INVALID_VALUE, "Can't use a event config that has "
+                   "sid > 0 and gid == 0.  Killing engine.  Please fix this "
+                   "in your threshold.conf file");
+        exit(EXIT_FAILURE);
     } else {
         sig = SigFindSignatureBySidGid(de_ctx,id,gid);
 
@@ -704,14 +729,24 @@ int SCThresholdConfAddThresholdtype(char *rawstr, DetectEngineCtx *de_ctx)
             m = SigMatchGetLastSMFromLists(sig, 2,
                                            DETECT_THRESHOLD, sig->sm_lists[DETECT_SM_LIST_THRESHOLD]);
 
-            if(m != NULL)
+            if (m != NULL) {
+                SCLogWarning(SC_ERR_EVENT_ENGINE, "signature sid:%"PRIu32 " has "
+                             "an event var set.  The signature event var is "
+                             "given precedence over the threshold.conf one.  "
+                             "We'll change this in the future though.", id);
                 goto end;
+            }
 
             m = SigMatchGetLastSMFromLists(sig, 2,
                                            DETECT_DETECTION_FILTER, sig->sm_lists[DETECT_SM_LIST_THRESHOLD]);
 
-            if(m != NULL)
+            if (m != NULL) {
+                SCLogWarning(SC_ERR_EVENT_ENGINE, "signature sid:%"PRIu32 " has "
+                             "an event var set.  The signature event var is "
+                             "given precedence over the threshold.conf one.  "
+                             "We'll change this in the future though.", id);
                 goto end;
+            }
 
             de = SCMalloc(sizeof(DetectThresholdData));
             if (de == NULL)
-- 
1.7.1