28.4.4. Detection

28.4.4.1. Rate Filter Callback

A callback can be registered for any signature hit whose action has been modified by the rate filter. This allows for the user to modify the action, if needed using their own custom logic.

For an example, see examples/lib/custom/main.c in the Suricata source code.

28.4.4.1.1. The Callback

The callback function will be called with the packet, signature details (sid, gid, rev), original action, the new action, and a user provided argument. It will only be called if the Suricata rate filter modified the action:

/**
 * \brief Function type for rate filter callback.
 *
 * This function should return the new action to be applied. If no change to the
 * action is to be made, the callback should return the current action provided
 * in the new_action parameter.
 */
typedef uint8_t (*SCDetectRateFilterFunc)(const Packet *p, uint32_t sid, uint32_t gid, uint32_t rev,
        uint8_t original_action, uint8_t new_action, void *arg);

28.4.4.1.2. Callback Registration

To register the rate filter callback, use the SCDetectEngineRegisterRateFilterCallback function with your callback and a user provided argument which will be provided to the callback.

/**
 * \brief Register a callback when a rate_filter has been applied to
 *     an alert.
 *
 * This callback is added to the current detection engine and will be
 * copied to all future detection engines over rule reloads.
 */
void SCDetectEngineRegisterRateFilterCallback(SCDetectRateFilterFunc cb, void *arg);