detect/stats: log out total of discarded alerts

author Juliana Fajardini <jufajardini@gmail.com>

Tue, 5 Apr 2022 19:54:29 +0000 (16:54 -0300)

committer Victor Julien <vjulien@oisf.net>

Tue, 3 May 2022 07:10:02 +0000 (09:10 +0200)
author Juliana Fajardini <jufajardini@gmail.com>
Tue, 5 Apr 2022 19:54:29 +0000 (16:54 -0300)
committer Victor Julien <vjulien@oisf.net>
Tue, 3 May 2022 07:10:02 +0000 (09:10 +0200)
diff --git a/src/decode.h b/src/decode.h

index 2506a1d4b8043aec8c888d5138ce4776cc8ff3a5..f44aac4232eab161878398322f32563c3d59eaf8 100644 (file)
--- a/src/decode.h
+++ b/src/decode.h
@@ -297,6 +297,7 @@ extern uint16_t packet_alert_max;
  
  typedef struct PacketAlerts_ {
      uint16_t cnt;
+    uint16_t discarded;
      PacketAlert *alerts;
      /* single pa used when we're dropping,
       * so we can log it out in the drop log. */
@@ -768,72 +769,74 @@ void CaptureStatsSetup(ThreadVars *tv, CaptureStats *s);
  /**
   *  \brief Recycle a packet structure for reuse.
   */
-#define PACKET_REINIT(p) do {             \
-        CLEAR_ADDR(&(p)->src);                  \
-        CLEAR_ADDR(&(p)->dst);                  \
-        (p)->sp = 0;                            \
-        (p)->dp = 0;                            \
-        (p)->proto = 0;                         \
-        (p)->recursion_level = 0;               \
-        PACKET_FREE_EXTDATA((p));               \
-        (p)->flags = (p)->flags & PKT_ALLOC;    \
-        (p)->flowflags = 0;                     \
-        (p)->pkt_src = 0;                       \
-        (p)->vlan_id[0] = 0;                    \
-        (p)->vlan_id[1] = 0;                    \
-        (p)->vlan_idx = 0;                      \
-        (p)->ts.tv_sec = 0;                     \
-        (p)->ts.tv_usec = 0;                    \
-        (p)->datalink = 0;                      \
-        (p)->action = 0;                        \
-        if ((p)->pktvar != NULL) {              \
-            PktVarFree((p)->pktvar);            \
-            (p)->pktvar = NULL;                 \
-        }                                       \
-        (p)->ethh = NULL;                       \
-        if ((p)->ip4h != NULL) {                \
-            CLEAR_IPV4_PACKET((p));             \
-        }                                       \
-        if ((p)->ip6h != NULL) {                \
-            CLEAR_IPV6_PACKET((p));             \
-        }                                       \
-        if ((p)->tcph != NULL) {                \
-            CLEAR_TCP_PACKET((p));              \
-        }                                       \
-        if ((p)->udph != NULL) {                \
-            CLEAR_UDP_PACKET((p));              \
-        }                                       \
-        if ((p)->sctph != NULL) {               \
-            CLEAR_SCTP_PACKET((p));             \
-        }                                       \
-        if ((p)->icmpv4h != NULL) {             \
-            CLEAR_ICMPV4_PACKET((p));           \
-        }                                       \
-        if ((p)->icmpv6h != NULL) {             \
-            CLEAR_ICMPV6_PACKET((p));           \
-        }                                       \
-        (p)->ppph = NULL;                       \
-        (p)->pppoesh = NULL;                    \
-        (p)->pppoedh = NULL;                    \
-        (p)->greh = NULL;                       \
-        (p)->payload = NULL;                    \
-        (p)->payload_len = 0;                   \
-        (p)->BypassPacketsFlow = NULL;          \
-        (p)->pktlen = 0;                        \
-        (p)->alerts.cnt = 0;                    \
-        (p)->alerts.drop.action = 0;            \
-        (p)->pcap_cnt = 0;                      \
-        (p)->tunnel_rtv_cnt = 0;                \
-        (p)->tunnel_tpr_cnt = 0;                \
-        (p)->events.cnt = 0;                    \
-        AppLayerDecoderEventsResetEvents((p)->app_layer_events); \
-        (p)->next = NULL;                       \
-        (p)->prev = NULL;                       \
-        (p)->root = NULL;                       \
-        (p)->livedev = NULL;                    \
-        PACKET_RESET_CHECKSUMS((p));            \
-        PACKET_PROFILING_RESET((p));            \
-        p->tenant_id = 0;                       \
+#define PACKET_REINIT(p)                                                                           \
+    do {                                                                                           \
+        CLEAR_ADDR(&(p)->src);                                                                     \
+        CLEAR_ADDR(&(p)->dst);                                                                     \
+        (p)->sp = 0;                                                                               \
+        (p)->dp = 0;                                                                               \
+        (p)->proto = 0;                                                                            \
+        (p)->recursion_level = 0;                                                                  \
+        PACKET_FREE_EXTDATA((p));                                                                  \
+        (p)->flags = (p)->flags & PKT_ALLOC;                                                       \
+        (p)->flowflags = 0;                                                                        \
+        (p)->pkt_src = 0;                                                                          \
+        (p)->vlan_id[0] = 0;                                                                       \
+        (p)->vlan_id[1] = 0;                                                                       \
+        (p)->vlan_idx = 0;                                                                         \
+        (p)->ts.tv_sec = 0;                                                                        \
+        (p)->ts.tv_usec = 0;                                                                       \
+        (p)->datalink = 0;                                                                         \
+        (p)->action = 0;                                                                           \
+        if ((p)->pktvar != NULL) {                                                                 \
+            PktVarFree((p)->pktvar);                                                               \
+            (p)->pktvar = NULL;                                                                    \
+        }                                                                                          \
+        (p)->ethh = NULL;                                                                          \
+        if ((p)->ip4h != NULL) {                                                                   \
+            CLEAR_IPV4_PACKET((p));                                                                \
+        }                                                                                          \
+        if ((p)->ip6h != NULL) {                                                                   \
+            CLEAR_IPV6_PACKET((p));                                                                \
+        }                                                                                          \
+        if ((p)->tcph != NULL) {                                                                   \
+            CLEAR_TCP_PACKET((p));                                                                 \
+        }                                                                                          \
+        if ((p)->udph != NULL) {                                                                   \
+            CLEAR_UDP_PACKET((p));                                                                 \
+        }                                                                                          \
+        if ((p)->sctph != NULL) {                                                                  \
+            CLEAR_SCTP_PACKET((p));                                                                \
+        }                                                                                          \
+        if ((p)->icmpv4h != NULL) {                                                                \
+            CLEAR_ICMPV4_PACKET((p));                                                              \
+        }                                                                                          \
+        if ((p)->icmpv6h != NULL) {                                                                \
+            CLEAR_ICMPV6_PACKET((p));                                                              \
+        }                                                                                          \
+        (p)->ppph = NULL;                                                                          \
+        (p)->pppoesh = NULL;                                                                       \
+        (p)->pppoedh = NULL;                                                                       \
+        (p)->greh = NULL;                                                                          \
+        (p)->payload = NULL;                                                                       \
+        (p)->payload_len = 0;                                                                      \
+        (p)->BypassPacketsFlow = NULL;                                                             \
+        (p)->pktlen = 0;                                                                           \
+        (p)->alerts.cnt = 0;                                                                       \
+        (p)->alerts.discarded = 0;                                                                 \
+        (p)->alerts.drop.action = 0;                                                               \
+        (p)->pcap_cnt = 0;                                                                         \
+        (p)->tunnel_rtv_cnt = 0;                                                                   \
+        (p)->tunnel_tpr_cnt = 0;                                                                   \
+        (p)->events.cnt = 0;                                                                       \
+        AppLayerDecoderEventsResetEvents((p)->app_layer_events);                                   \
+        (p)->next = NULL;                                                                          \
+        (p)->prev = NULL;                                                                          \
+        (p)->root = NULL;                                                                          \
+        (p)->livedev = NULL;                                                                       \
+        PACKET_RESET_CHECKSUMS((p));                                                               \
+        PACKET_PROFILING_RESET((p));                                                               \
+        p->tenant_id = 0;                                                                          \
          p->nb_decoded_layers = 0;                                                                  \
      } while (0)
  
diff --git a/src/detect-engine-alert.c b/src/detect-engine-alert.c

index 5d64a7fb349fa5e5e58143aaa9109cbd2064030f..ede6ffd0d07ac3c7816820f8aeceaac894f6dbcd 100644 (file)
--- a/src/detect-engine-alert.c
+++ b/src/detect-engine-alert.c
@@ -266,6 +266,7 @@ void AlertQueueAppend(DetectEngineThreadCtx *det_ctx, const Signature *s, Packet
          /* we must grow the alert queue */
          if (pos == AlertQueueExpand(det_ctx)) {
              /* this means we failed to expand the queue */
+            det_ctx->p->alerts.discarded++;
              return;
          }
      }
@@ -367,6 +368,7 @@ void PacketAlertFinalize(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx
          /* Thresholding removes this alert */
          if (res == 0 || res == 2 || (s->flags & SIG_FLAG_NOALERT)) {
              /* we will not copy this to the AlertQueue */
+            p->alerts.discarded++;
          } else if (p->alerts.cnt < packet_alert_max) {
              p->alerts.alerts[p->alerts.cnt] = det_ctx->alert_queue[i];
              SCLogDebug("Appending sid %" PRIu32 " alert to Packet::alerts at pos %u", s->id, i);
@@ -377,6 +379,8 @@ void PacketAlertFinalize(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx
                  break;
              }
              p->alerts.cnt++;
+        } else {
+            p->alerts.discarded++;
          }
          i++;
      }
diff --git a/src/detect-engine.c b/src/detect-engine.c

index 486bb9d67db00942ebd52ff75212fe2d9571ab4e..a58b2e1ccd28c33ac6076afdd673f647dadbd45c 100644 (file)
--- a/src/detect-engine.c
+++ b/src/detect-engine.c
@@ -2875,6 +2875,7 @@ TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
  
      /** alert counter setup */
      det_ctx->counter_alerts = StatsRegisterCounter("detect.alert", tv);
+    det_ctx->counter_alerts_overflow = StatsRegisterCounter("detect.alert_queue_overflow", tv);
  #ifdef PROFILING
      det_ctx->counter_mpm_list = StatsRegisterAvgCounter("detect.mpm_list", tv);
      det_ctx->counter_nonmpm_list = StatsRegisterAvgCounter("detect.nonmpm_list", tv);
diff --git a/src/detect.c b/src/detect.c

index 127a914ec4b205beae7c237f121691e34f2062a2..98598073d72b52df2dfa04022d981fc3d96b9b73 100644 (file)
--- a/src/detect.c
+++ b/src/detect.c
@@ -821,6 +821,7 @@ static DetectRunScratchpad DetectRunSetup(
  
  #ifdef UNITTESTS
      p->alerts.cnt = 0;
+    p->alerts.discarded = 0;
  #endif
      det_ctx->ticker++;
      det_ctx->filestore_cnt = 0;
@@ -930,6 +931,9 @@ static inline void DetectRunPostRules(
      if (p->alerts.cnt > 0) {
          StatsAddUI64(tv, det_ctx->counter_alerts, (uint64_t)p->alerts.cnt);
      }
+    if (p->alerts.discarded > 0) {
+        StatsAddUI64(tv, det_ctx->counter_alerts_overflow, (uint64_t)p->alerts.discarded);
+    }
      PACKET_PROFILING_DETECT_END(p, PROF_DETECT_ALERT);
  }
  
diff --git a/src/detect.h b/src/detect.h

index cf61250247c2df9a51de56f51e8a0318ab9a0a46..d010f83d1019ac4785ed1c09797afdbf61fd7ea6 100644 (file)
--- a/src/detect.h
+++ b/src/detect.h
@@ -1053,6 +1053,8 @@ typedef struct DetectEngineThreadCtx_ {
  
      /** id for alert counter */
      uint16_t counter_alerts;
+    /** id for discarded alerts counter**/
+    uint16_t counter_alerts_overflow;
  #ifdef PROFILING
      uint16_t counter_mpm_list;
      uint16_t counter_nonmpm_list;
author	Juliana Fajardini <jufajardini@gmail.com>
	Tue, 5 Apr 2022 19:54:29 +0000 (16:54 -0300)
committer	Victor Julien <vjulien@oisf.net>
	Tue, 3 May 2022 07:10:02 +0000 (09:10 +0200)
src/decode.h		patch \| blob \| blame \| history
src/detect-engine-alert.c		patch \| blob \| blame \| history
src/detect-engine.c		patch \| blob \| blame \| history
src/detect.c		patch \| blob \| blame \| history
src/detect.h		patch \| blob \| blame \| history