From 7d4fcc311ca563631672f7b1f4de69367cbc35cb Mon Sep 17 00:00:00 2001
From: Victor Julien <vjulien@oisf.net>
Date: Wed, 15 May 2024 11:02:29 +0200
Subject: [PATCH] detect/threshold: make hash size and memcap configurable

---
 src/detect-engine-threshold.c | 29 +++++++++++++++++++++++++++--
 suricata.yaml.in              |  5 +++++
 2 files changed, 32 insertions(+), 2 deletions(-)

diff --git a/src/detect-engine-threshold.c b/src/detect-engine-threshold.c
index 60d9bd8acc97..faedb656b0b4 100644
--- a/src/detect-engine-threshold.c
+++ b/src/detect-engine-threshold.c
@@ -45,6 +45,7 @@
 #include "detect-engine-address.h"
 #include "detect-engine-address-ipv6.h"
 
+#include "util-misc.h"
 #include "util-time.h"
 #include "util-error.h"
 #include "util-debug.h"
@@ -183,14 +184,38 @@ static bool ThresholdEntryExpire(void *data, const SCTime_t ts)
 
 static int ThresholdsInit(struct Thresholds *t)
 {
-    uint64_t memcap = 16 * 1024 * 1024;
     uint32_t hashsize = 16384;
+    uint64_t memcap = 16 * 1024 * 1024;
+
+    const char *str;
+    if (ConfGet("detect.thresholds.memcap", &str) == 1) {
+        if (ParseSizeStringU64(str, &memcap) < 0) {
+            SCLogError("Error parsing detect.thresholds.memcap from conf file - %s", str);
+            return -1;
+        }
+    }
+
+    intmax_t value = 0;
+    if ((ConfGetInt("detect.thresholds.hash-size", &value)) == 1) {
+        if (value < 256 || value > INT_MAX) {
+            SCLogError("'detect.thresholds.hash-size' value %" PRIiMAX
+                       " out of range. Valid range 256-2147483647.",
+                    value);
+            return -1;
+        }
+        hashsize = (uint32_t)value;
+    }
+
     t->thash = THashInit("thresholds", sizeof(ThresholdEntry), ThresholdEntrySet,
             ThresholdEntryFree, ThresholdEntryHash, ThresholdEntryCompare, ThresholdEntryExpire, 0,
             memcap, hashsize);
-    BUG_ON(t->thash == NULL);
+    if (t->thash == NULL) {
+        SCLogError("failed to initialize thresholds hash table");
+        return -1;
+    }
     return 0;
 }
+
 static void ThresholdsDestroy(struct Thresholds *t)
 {
     if (t->thash) {
diff --git a/suricata.yaml.in b/suricata.yaml.in
index 0ba63086d0d1..5e4d039e9e7b 100644
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@@ -1700,6 +1700,11 @@ detect:
     #tcp-whitelist: 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
     #udp-whitelist: 53, 135, 5060
 
+  # Thresholding hash table settings.
+  thresholds:
+    hash-size: 16384
+    memcap: 16mb
+
   profiling:
     # Log the rules that made it past the prefilter stage, per packet
     # default is off. The threshold setting determines how many rules