detect/stats: log out total of suppressed alerts

Related to Task #4943 Task #5179 (cherry picked from commit 877b32c1e4)
4 years ago · d19b1d432b
parent ad153d7b35
commit d19b1d432b
5 changed files with 12 additions and 2 deletions
--- a/src/decode.h
+++ b/src/decode.h
@ -294,6 +294,7 @@ extern uint16_t packet_alert_max;
 typedef struct PacketAlerts_ {
    uint16_t cnt;
    uint16_t discarded;
+    uint16_t suppressed;
    PacketAlert *alerts;
    /* single pa used when we're dropping,
     * so we can log it out in the drop log. */
@ -813,6 +814,7 @@ void CaptureStatsSetup(ThreadVars *tv, CaptureStats *s);
    (p)->pktlen = 0;                                                           \
    (p)->alerts.cnt = 0;                                                       \
    (p)->alerts.discarded = 0;                                                 \
+    (p)->alerts.suppressed = 0;                                                \
    (p)->alerts.drop.action = 0;                                               \
    (p)->pcap_cnt = 0;                                                         \
    (p)->tunnel_rtv_cnt = 0;                                                   \
--- a/src/detect-engine-alert.c
+++ b/src/detect-engine-alert.c
@ -369,7 +369,7 @@ void PacketAlertFinalize(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx
        /* Thresholding removes this alert */
        if (res == 0 || res == 2 || (s->flags & SIG_FLAG_NOALERT)) {
            /* we will not copy this to the AlertQueue */
-            p->alerts.discarded++;
+            p->alerts.suppressed++;
        } else if (p->alerts.cnt < packet_alert_max) {
            p->alerts.alerts[p->alerts.cnt] = det_ctx->alert_queue[i];
            SCLogDebug("Appending sid %" PRIu32 " alert to Packet::alerts at pos %u", s->id, i);
--- a/src/detect-engine.c
+++ b/src/detect-engine.c
@ -2912,6 +2912,8 @@ TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
    det_ctx->counter_alerts = StatsRegisterCounter("detect.alert", tv);
    det_ctx->counter_alerts_overflow =
        StatsRegisterCounter("detect.alert_queue_overflow", tv);
+    det_ctx->counter_alerts_suppressed =
+        StatsRegisterCounter("detect.alerts_suppressed", tv);
 #ifdef PROFILING
    det_ctx->counter_mpm_list = StatsRegisterAvgCounter("detect.mpm_list", tv);
    det_ctx->counter_nonmpm_list = StatsRegisterAvgCounter("detect.nonmpm_list", tv);
--- a/src/detect.c
+++ b/src/detect.c
@ -823,6 +823,7 @@ static DetectRunScratchpad DetectRunSetup(
 #ifdef UNITTESTS
    p->alerts.cnt = 0;
    p->alerts.discarded = 0;
+    p->alerts.suppressed = 0;
 #endif
    det_ctx->ticker++;
    det_ctx->filestore_cnt = 0;
@ -935,6 +936,9 @@ static inline void DetectRunPostRules(
    if (p->alerts.discarded > 0) {
        StatsAddUI64(tv, det_ctx->counter_alerts_overflow, (uint64_t)p->alerts.discarded);
    }
+    if (p->alerts.suppressed > 0) {
+        StatsAddUI64(tv, det_ctx->counter_alerts_suppressed, (uint64_t)p->alerts.suppressed);
+    }
    PACKET_PROFILING_DETECT_END(p, PROF_DETECT_ALERT);
 }

--- a/src/detect.h
+++ b/src/detect.h
@ -1045,8 +1045,10 @@ typedef struct DetectEngineThreadCtx_ {

    /** id for alert counter */
    uint16_t counter_alerts;
-    /** id for discarded alerts counter**/
+    /** id for discarded alerts counter */
    uint16_t counter_alerts_overflow;
+    /** id for suppressed alerts counter */
+    uint16_t counter_alerts_suppressed;
 #ifdef PROFILING
    uint16_t counter_mpm_list;
    uint16_t counter_nonmpm_list;