aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

detect/tag: timeout handling precision improvement

Browse Source 
As found by -Wshorten-64-to-32 warnings

Ticket: #6186

Use SCTime_t instead of u32, which increases memory usage for
the structures changed here, while making it more correct.
pull/13251/head
Philippe Antoine 6 months ago committed by Victor Julien
parent bad7d2f16d
commit ee386ac6eb
3 changed files with 26 additions and 21 deletions
Show Stats Download Patch File Download Diff File

32
src/detect-engine-tag.c
Unescape Escape View File

@ -150,7 +150,8 @@ int TagFlowAdd(Packet *p, DetectTagDataEntry *tde)
if (new_tde != NULL) { if (new_tde != NULL) {
new_tde->next = FlowGetStorageById(p->flow, flow_tag_id); new_tde->next = FlowGetStorageById(p->flow, flow_tag_id);
FlowSetStorageById(p->flow, flow_tag_id, new_tde); FlowSetStorageById(p->flow, flow_tag_id, new_tde);
SCLogDebug("adding tag with first_ts %u", new_tde->first_ts); SCLogDebug(
"adding tag with first_ts %" PRIu64, (uint64_t)SCTIME_SECS(new_tde->first_ts));
(void) SC_ATOMIC_ADD(num_tags, 1); (void) SC_ATOMIC_ADD(num_tags, 1);
} }
} else if (tag_cnt == DETECT_TAG_MAX_TAGS) { } else if (tag_cnt == DETECT_TAG_MAX_TAGS) {
@ -254,7 +255,7 @@ static void TagHandlePacketFlow(Flow *f, Packet *p)
while (iter != NULL) { while (iter != NULL) {
/* update counters */ /* update counters */
iter->last_ts = SCTIME_SECS(p->ts); iter->last_ts = p->ts;
switch (iter->metric) { switch (iter->metric) {
case DETECT_TAG_METRIC_PACKET: case DETECT_TAG_METRIC_PACKET:
iter->packets++; iter->packets++;
@ -329,10 +330,14 @@ static void TagHandlePacketFlow(Flow *f, Packet *p)
case DETECT_TAG_METRIC_SECONDS: case DETECT_TAG_METRIC_SECONDS:
/* last_ts handles this metric, but also a generic time based /* last_ts handles this metric, but also a generic time based
* expiration to prevent dead sessions/hosts */ * expiration to prevent dead sessions/hosts */
if (iter->last_ts - iter->first_ts > iter->count) { if (SCTIME_SECS(iter->last_ts) - SCTIME_SECS(iter->first_ts) > iter->count) {
SCLogDebug("flow tag expired: %u - %u = %u > %u", // cast needed as gcc and clang behave differently
iter->last_ts, iter->first_ts, SCLogDebug("flow tag expired: %" PRIu64 " - %" PRIu64 " = %" PRIu64 " > %u",
(iter->last_ts - iter->first_ts), iter->count); (uint64_t)SCTIME_SECS(iter->last_ts),
(uint64_t)SCTIME_SECS(iter->first_ts),
(uint64_t)(SCTIME_SECS(iter->last_ts) -
SCTIME_SECS(iter->first_ts)),
iter->count);
/* tag expired */ /* tag expired */
if (prev != NULL) { if (prev != NULL) {
tde = iter; tde = iter;
@ -376,7 +381,7 @@ static void TagHandlePacketHost(Host *host, Packet *p)
prev = NULL; prev = NULL;
while (iter != NULL) { while (iter != NULL) {
/* update counters */ /* update counters */
iter->last_ts = SCTIME_SECS(p->ts); iter->last_ts = p->ts;
switch (iter->metric) { switch (iter->metric) {
case DETECT_TAG_METRIC_PACKET: case DETECT_TAG_METRIC_PACKET:
iter->packets++; iter->packets++;
@ -448,10 +453,13 @@ static void TagHandlePacketHost(Host *host, Packet *p)
case DETECT_TAG_METRIC_SECONDS: case DETECT_TAG_METRIC_SECONDS:
/* last_ts handles this metric, but also a generic time based /* last_ts handles this metric, but also a generic time based
* expiration to prevent dead sessions/hosts */ * expiration to prevent dead sessions/hosts */
if (iter->last_ts - iter->first_ts > iter->count) { if (SCTIME_SECS(iter->last_ts) - SCTIME_SECS(iter->first_ts) > iter->count) {
SCLogDebug("host tag expired: %u - %u = %u > %u", SCLogDebug("host tag expired: %" PRIu64 " - %" PRIu64 " = %" PRIu64 " > %u",
iter->last_ts, iter->first_ts, (uint64_t)SCTIME_SECS(iter->last_ts),
(iter->last_ts - iter->first_ts), iter->count); (uint64_t)SCTIME_SECS(iter->first_ts),
(uint64_t)(SCTIME_SECS(iter->last_ts) -
SCTIME_SECS(iter->first_ts)),
iter->count);
/* tag expired */ /* tag expired */
if (prev != NULL) { if (prev != NULL) {
tde = iter; tde = iter;
@ -568,7 +576,7 @@ int TagTimeoutCheck(Host *host, SCTime_t ts)
prev = NULL; prev = NULL;
while (tmp != NULL) { while (tmp != NULL) {
SCTime_t timeout_at = SCTIME_FROM_SECS(tmp->last_ts + TAG_MAX_LAST_TIME_SEEN); SCTime_t timeout_at = SCTIME_ADD_SECS(tmp->last_ts, TAG_MAX_LAST_TIME_SEEN);
if (SCTIME_CMP_GTE(timeout_at, ts)) { if (SCTIME_CMP_GTE(timeout_at, ts)) {
prev = tmp; prev = tmp;
tmp = tmp->next; tmp = tmp->next;

8
src/detect-tag.c
Unescape Escape View File

@ -106,7 +106,7 @@ static int DetectTagMatch(DetectEngineThreadCtx *det_ctx, Packet *p,
tde.sid = s->id; tde.sid = s->id;
tde.gid = s->gid; tde.gid = s->gid;
tde.last_ts = tde.first_ts = SCTIME_SECS(p->ts); tde.last_ts = tde.first_ts = p->ts;
tde.metric = td->metric; tde.metric = td->metric;
tde.count = td->count; tde.count = td->count;
if (td->direction == DETECT_TAG_DIR_SRC) if (td->direction == DETECT_TAG_DIR_SRC)
@ -123,12 +123,12 @@ static int DetectTagMatch(DetectEngineThreadCtx *det_ctx, Packet *p,
/* If it already exists it will be updated */ /* If it already exists it will be updated */
tde.sid = s->id; tde.sid = s->id;
tde.gid = s->gid; tde.gid = s->gid;
tde.last_ts = tde.first_ts = SCTIME_SECS(p->ts); tde.last_ts = tde.first_ts = p->ts;
tde.metric = td->metric; tde.metric = td->metric;
tde.count = td->count; tde.count = td->count;
SCLogDebug("Adding to or updating flow; first_ts %u count %u", SCLogDebug("Adding to or updating flow; first_ts %" PRIu64 " count %u",
tde.first_ts, tde.count); (uint64_t)SCTIME_SECS(tde.first_ts), tde.count);
TagFlowAdd(p, &tde); TagFlowAdd(p, &tde);
} else { } else {
SCLogDebug("No flow to append the session tag"); SCLogDebug("No flow to append the session tag");

7
src/detect-tag.h
Unescape Escape View File

@ -79,11 +79,8 @@ typedef struct DetectTagDataEntry_ {
uint32_t packets; /**< number of packets (metric packets) */ uint32_t packets; /**< number of packets (metric packets) */
uint32_t bytes; /**< number of bytes (metric bytes) */ uint32_t bytes; /**< number of bytes (metric bytes) */
}; };
uint32_t first_ts; /**< First time seen (for metric = seconds) */ SCTime_t first_ts; /**< First time seen (for metric = seconds) */
uint32_t last_ts; /**< Last time seen (to prune old sessions) */ SCTime_t last_ts; /**< Last time seen (to prune old sessions) */
#if __WORDSIZE == 64
uint32_t pad1;
#endif
struct DetectTagDataEntry_ *next; /**< Pointer to the next tag of this struct DetectTagDataEntry_ *next; /**< Pointer to the next tag of this
* session/src_host/dst_host (if any from other rule) */ * session/src_host/dst_host (if any from other rule) */
} DetectTagDataEntry; } DetectTagDataEntry;

Write Preview
Loading…
Cancel
Save