engine-analysis: print fast_pattern summary

When using engine analysis for print fast_pattern stats, print a short summary at the end containing per buffer: - smallest fp - biggest fp - number of patterns - avg fp len
11 years ago · 8d0b090150
parent 21f9328989
commit 8d0b090150
1 changed files with 44 additions and 0 deletions
--- a/src/detect-engine-analyzer.c
+++ b/src/detect-engine-analyzer.c
@ -27,6 +27,7 @@
 #include "suricata.h"
 #include "detect.h"
 #include "detect-parse.h"
+#include "detect-engine.h"
 #include "detect-engine-analyzer.h"
 #include "detect-engine-mpm.h"
 #include "conf.h"
@ -42,6 +43,31 @@ static pcre *percent_re = NULL;
 static pcre_extra *percent_re_study = NULL;
 static char log_path[PATH_MAX];

+typedef struct FpPatternStats_ {
+    uint16_t min;
+    uint16_t max;
+    uint32_t cnt;
+    uint64_t tot;
+} FpPatternStats;
+
+static FpPatternStats fp_pattern_stats[DETECT_SM_LIST_MAX];
+
+static void FpPatternStatsAdd(int list, uint16_t patlen)
+{
+    FpPatternStats *f = &fp_pattern_stats[list];
+
+    if (f->min == 0)
+        f->min = patlen;
+    else if (patlen < f->min)
+        f->min = patlen;
+
+    if (patlen > f->max)
+        f->max = patlen;
+
+    f->cnt++;
+    f->tot += patlen;
+}
+
 void EngineAnalysisFP(Signature *s, char *line)
 {
    int fast_pattern_set = 0;
@ -162,10 +188,14 @@ void EngineAnalysisFP(Signature *s, char *line)
        fprintf(fp_engine_analysis_FD, "        Final content: ");
        PrintRawUriFp(fp_engine_analysis_FD, pat, patlen);
        fprintf(fp_engine_analysis_FD, "\n");
+
+        FpPatternStatsAdd(list_type, patlen);
    } else {
        fprintf(fp_engine_analysis_FD, "        Final content: ");
        PrintRawUriFp(fp_engine_analysis_FD, pat, patlen);
        fprintf(fp_engine_analysis_FD, "\n");
+
+        FpPatternStatsAdd(list_type, patlen);
    }
    SCFree(pat);

@ -220,6 +250,7 @@ int SetupFPAnalyzer(void)
    fprintf(fp_engine_analysis_FD, "----------------------------------------------"
            "---------------------\n");

+    memset(&fp_pattern_stats, 0, sizeof(fp_pattern_stats));
    return 1;
 }

@ -286,6 +317,19 @@ int SetupRuleAnalyzer(void)

 void CleanupFPAnalyzer(void)
 {
+    fprintf(fp_engine_analysis_FD, "============\n"
+        "Summary:\n============\n");
+    int i;
+    for (i = 0; i < DETECT_SM_LIST_MAX; i++) {
+        FpPatternStats *f = &fp_pattern_stats[i];
+        if (f->cnt == 0)
+            continue;
+
+        fprintf(fp_engine_analysis_FD,
+            "%s, smallest pattern %u byte(s), longest pattern %u byte(s), number of patterns %u, avg pattern len %.2f byte(s)\n",
+            DetectSigmatchListEnumToString(i), f->min, f->max, f->cnt, (float)((double)f->tot/(float)f->cnt));
+    }
+
    if (fp_engine_analysis_FD != NULL) {
        fclose(fp_engine_analysis_FD);
        fp_engine_analysis_FD = NULL;