aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

detect/stats: log out total of discarded alerts

Browse Source 
Add a counter to our stats log with the total of alerts that have been
discarded due to packet alert queue overflow.

Also included a fix for
Bug #5354

Task #5179

(cherry picked from commit 04eefa5ab8)
pull/7474/head
Juliana Fajardini 4 years ago committed by Victor Julien
parent ef5576fa10
commit ad153d7b35
5 changed files with 83 additions and 68 deletions
Show Stats Download Patch File Download Diff File

139
src/decode.h
Unescape Escape View File

@ -293,6 +293,7 @@ extern uint16_t packet_alert_max;
typedef struct PacketAlerts_ {
uint16_t cnt;
uint16_t discarded;
PacketAlert *alerts;
/* single pa used when we're dropping,
* so we can log it out in the drop log. */
@ -757,74 +758,76 @@ void CaptureStatsSetup(ThreadVars *tv, CaptureStats *s);
/**
* \brief Recycle a packet structure for reuse.
*/
#define PACKET_REINIT(p) do { \
CLEAR_ADDR(&(p)->src); \
CLEAR_ADDR(&(p)->dst); \
(p)->sp = 0; \
(p)->dp = 0; \
(p)->proto = 0; \
(p)->recursion_level = 0; \
PACKET_FREE_EXTDATA((p)); \
(p)->flags = (p)->flags & PKT_ALLOC; \
(p)->flowflags = 0; \
(p)->pkt_src = 0; \
(p)->vlan_id[0] = 0; \
(p)->vlan_id[1] = 0; \
(p)->vlan_idx = 0; \
(p)->ts.tv_sec = 0; \
(p)->ts.tv_usec = 0; \
(p)->datalink = 0; \
(p)->action = 0; \
if ((p)->pktvar != NULL) { \
PktVarFree((p)->pktvar); \
(p)->pktvar = NULL; \
} \
(p)->ethh = NULL; \
if ((p)->ip4h != NULL) { \
CLEAR_IPV4_PACKET((p)); \
} \
if ((p)->ip6h != NULL) { \
CLEAR_IPV6_PACKET((p)); \
} \
if ((p)->tcph != NULL) { \
CLEAR_TCP_PACKET((p)); \
} \
if ((p)->udph != NULL) { \
CLEAR_UDP_PACKET((p)); \
} \
if ((p)->sctph != NULL) { \
CLEAR_SCTP_PACKET((p)); \
} \
if ((p)->icmpv4h != NULL) { \
CLEAR_ICMPV4_PACKET((p)); \
} \
if ((p)->icmpv6h != NULL) { \
CLEAR_ICMPV6_PACKET((p)); \
} \
(p)->ppph = NULL; \
(p)->pppoesh = NULL; \
(p)->pppoedh = NULL; \
(p)->greh = NULL; \
(p)->payload = NULL; \
(p)->payload_len = 0; \
(p)->BypassPacketsFlow = NULL; \
(p)->pktlen = 0; \
(p)->alerts.cnt = 0; \
(p)->alerts.drop.action = 0; \
(p)->pcap_cnt = 0; \
(p)->tunnel_rtv_cnt = 0; \
(p)->tunnel_tpr_cnt = 0; \
(p)->events.cnt = 0; \
AppLayerDecoderEventsResetEvents((p)->app_layer_events); \
(p)->next = NULL; \
(p)->prev = NULL; \
(p)->root = NULL; \
(p)->livedev = NULL; \
PACKET_RESET_CHECKSUMS((p)); \
PACKET_PROFILING_RESET((p)); \
p->tenant_id = 0; \
p->nb_decoded_layers = 0; \
} while (0)
#define PACKET_REINIT(p) \
do { \
CLEAR_ADDR(&(p)->src); \
CLEAR_ADDR(&(p)->dst); \
(p)->sp = 0; \
(p)->dp = 0; \
(p)->proto = 0; \
(p)->recursion_level = 0; \
PACKET_FREE_EXTDATA((p)); \
(p)->flags = (p)->flags & PKT_ALLOC; \
(p)->flowflags = 0; \
(p)->pkt_src = 0; \
(p)->vlan_id[0] = 0; \
(p)->vlan_id[1] = 0; \
(p)->vlan_idx = 0; \
(p)->ts.tv_sec = 0; \
(p)->ts.tv_usec = 0; \
(p)->datalink = 0; \
(p)->action = 0; \
if ((p)->pktvar != NULL) { \
PktVarFree((p)->pktvar); \
(p)->pktvar = NULL; \
} \
(p)->ethh = NULL; \
if ((p)->ip4h != NULL) { \
CLEAR_IPV4_PACKET((p)); \
} \
if ((p)->ip6h != NULL) { \
CLEAR_IPV6_PACKET((p)); \
} \
if ((p)->tcph != NULL) { \
CLEAR_TCP_PACKET((p)); \
} \
if ((p)->udph != NULL) { \
CLEAR_UDP_PACKET((p)); \
} \
if ((p)->sctph != NULL) { \
CLEAR_SCTP_PACKET((p)); \
} \
if ((p)->icmpv4h != NULL) { \
CLEAR_ICMPV4_PACKET((p)); \
} \
if ((p)->icmpv6h != NULL) { \
CLEAR_ICMPV6_PACKET((p)); \
} \
(p)->ppph = NULL; \
(p)->pppoesh = NULL; \
(p)->pppoedh = NULL; \
(p)->greh = NULL; \
(p)->payload = NULL; \
(p)->payload_len = 0; \
(p)->BypassPacketsFlow = NULL; \
(p)->pktlen = 0; \
(p)->alerts.cnt = 0; \
(p)->alerts.discarded = 0; \
(p)->alerts.drop.action = 0; \
(p)->pcap_cnt = 0; \
(p)->tunnel_rtv_cnt = 0; \
(p)->tunnel_tpr_cnt = 0; \
(p)->events.cnt = 0; \
AppLayerDecoderEventsResetEvents((p)->app_layer_events); \
(p)->next = NULL; \
(p)->prev = NULL; \
(p)->root = NULL; \
(p)->livedev = NULL; \
PACKET_RESET_CHECKSUMS((p)); \
PACKET_PROFILING_RESET((p)); \
p->tenant_id = 0; \
p->nb_decoded_layers = 0; \
} while (0)
#define PACKET_RECYCLE(p) do { \
PACKET_RELEASE_REFS((p)); \

4
src/detect-engine-alert.c
Unescape Escape View File

@ -267,6 +267,7 @@ void AlertQueueAppend(DetectEngineThreadCtx *det_ctx, const Signature *s, Packet
/* we must grow the alert queue */
if (pos == AlertQueueExpand(det_ctx)) {
/* this means we failed to expand the queue */
p->alerts.discarded++;
return;
}
}
@ -368,6 +369,7 @@ void PacketAlertFinalize(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx
/* Thresholding removes this alert */
if (res == 0 || res == 2 || (s->flags & SIG_FLAG_NOALERT)) {
/* we will not copy this to the AlertQueue */
p->alerts.discarded++;
} else if (p->alerts.cnt < packet_alert_max) {
p->alerts.alerts[p->alerts.cnt] = det_ctx->alert_queue[i];
SCLogDebug("Appending sid %" PRIu32 " alert to Packet::alerts at pos %u", s->id, i);
@ -378,6 +380,8 @@ void PacketAlertFinalize(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx
break;
}
p->alerts.cnt++;
} else {
p->alerts.discarded++;
}
i++;
}

2
src/detect-engine.c
Unescape Escape View File

@ -2910,6 +2910,8 @@ TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
/** alert counter setup */
det_ctx->counter_alerts = StatsRegisterCounter("detect.alert", tv);
det_ctx->counter_alerts_overflow =
StatsRegisterCounter("detect.alert_queue_overflow", tv);
#ifdef PROFILING
det_ctx->counter_mpm_list = StatsRegisterAvgCounter("detect.mpm_list", tv);
det_ctx->counter_nonmpm_list = StatsRegisterAvgCounter("detect.nonmpm_list", tv);

4
src/detect.c
Unescape Escape View File

@ -822,6 +822,7 @@ static DetectRunScratchpad DetectRunSetup(
#ifdef UNITTESTS
p->alerts.cnt = 0;
p->alerts.discarded = 0;
#endif
det_ctx->ticker++;
det_ctx->filestore_cnt = 0;
@ -931,6 +932,9 @@ static inline void DetectRunPostRules(
if (p->alerts.cnt > 0) {
StatsAddUI64(tv, det_ctx->counter_alerts, (uint64_t)p->alerts.cnt);
}
if (p->alerts.discarded > 0) {
StatsAddUI64(tv, det_ctx->counter_alerts_overflow, (uint64_t)p->alerts.discarded);
}
PACKET_PROFILING_DETECT_END(p, PROF_DETECT_ALERT);
}

2
src/detect.h
Unescape Escape View File

@ -1045,6 +1045,8 @@ typedef struct DetectEngineThreadCtx_ {
/** id for alert counter */
uint16_t counter_alerts;
/** id for discarded alerts counter**/
uint16_t counter_alerts_overflow;
#ifdef PROFILING
uint16_t counter_mpm_list;
uint16_t counter_nonmpm_list;

Write Preview
Loading…
Cancel
Save