detect/threshold: make hash size and memcap configurable

catenacyber · Jun 28, 2024 · 7d4fcc3 · 7d4fcc3
1 parent 10eaf55
commit 7d4fcc3
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 2 deletions.
diff --git a/src/detect-engine-threshold.c b/src/detect-engine-threshold.c
@@ -45,6 +45,7 @@
 #include "detect-engine-address.h"
 #include "detect-engine-address-ipv6.h"
 
+#include "util-misc.h"
 #include "util-time.h"
 #include "util-error.h"
 #include "util-debug.h"
@@ -183,14 +184,38 @@ static bool ThresholdEntryExpire(void *data, const SCTime_t ts)
 
 static int ThresholdsInit(struct Thresholds *t)
 {
-    uint64_t memcap = 16 * 1024 * 1024;
     uint32_t hashsize = 16384;
+    uint64_t memcap = 16 * 1024 * 1024;
+
+    const char *str;
+    if (ConfGet("detect.thresholds.memcap", &str) == 1) {
+        if (ParseSizeStringU64(str, &memcap) < 0) {
+            SCLogError("Error parsing detect.thresholds.memcap from conf file - %s", str);
+            return -1;
+        }
+    }
+
+    intmax_t value = 0;
+    if ((ConfGetInt("detect.thresholds.hash-size", &value)) == 1) {
+        if (value < 256 || value > INT_MAX) {
+            SCLogError("'detect.thresholds.hash-size' value %" PRIiMAX
+                       " out of range. Valid range 256-2147483647.",
+                    value);
+            return -1;
+        }
+        hashsize = (uint32_t)value;
+    }
+
     t->thash = THashInit("thresholds", sizeof(ThresholdEntry), ThresholdEntrySet,
             ThresholdEntryFree, ThresholdEntryHash, ThresholdEntryCompare, ThresholdEntryExpire, 0,
             memcap, hashsize);
-    BUG_ON(t->thash == NULL);
+    if (t->thash == NULL) {
+        SCLogError("failed to initialize thresholds hash table");
+        return -1;
+    }
     return 0;
 }
+
 static void ThresholdsDestroy(struct Thresholds *t)
 {
     if (t->thash) {

diff --git a/suricata.yaml.in b/suricata.yaml.in
@@ -1700,6 +1700,11 @@ detect:
     #tcp-whitelist: 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
     #udp-whitelist: 53, 135, 5060
 
+  # Thresholding hash table settings.
+  thresholds:
+    hash-size: 16384
+    memcap: 16mb
+
   profiling:
     # Log the rules that made it past the prefilter stage, per packet
     # default is off. The threshold setting determines how many rules