Merge pull request #1607 in SNORT/snort3 from ~SMINUT/snort3:filters_xhash_peg to...

Squashed commit of the following:

commit 6182a08ddbac76285aad2bd3194282f5402075da
Author: Silviu Minut <sminut@cisco.com>
Date:   Wed May 15 09:40:34 2019 -0400

    filters: add peg count for when the thd_runtime XHash table gets full.

diff --git a/src/filters/sfrf.cc b/src/filters/sfrf.cc
index 62a469ab96f660a49261d7f28853ac74bd8a9713..52200382372cc098f9d1d3b9e596992b03f3ffaf 100644 (file)
--- a/src/filters/sfrf.cc
+++ b/src/filters/sfrf.cc
@@ -47,6 +47,9 @@ using namespace snort;
 #define SFRF_NO_REVERT_LIMIT 1000
 
 // private data ...
+
+THREAD_LOCAL RateFilterStats rate_filter_stats;
+
 /* Key to find tracking nodes in trackingHash.
  */
 PADDING_GUARD_BEGIN
@@ -793,7 +796,14 @@ static tSFRFTrackingNode* _getSFRFTrackingNode(const snort::SfIp* ip, unsigned t
      * Check for any Permanent sid objects for this gid or add this one ...
      */
     XHashNode* hnode = xhash_get_node(rf_hash, (void*)&key);
-    if ( hnode && hnode->data )
+    if ( !hnode )
+    {
+        // xhash_get_node fails to insert only if rf_hash is full.
+        rate_filter_stats.xhash_nomem_peg++;
+        return dynNode;
+    }
+
+    if ( hnode->data )
     {
         dynNode = (tSFRFTrackingNode*)hnode->data;
 

diff --git a/src/filters/sfrf.h b/src/filters/sfrf.h
index eb3c6014bc84047c44fed898950440b7032f14ee..5c8c79fcc0f1ee0808428e6bedf3414be5e1a6d4 100644 (file)
--- a/src/filters/sfrf.h
+++ b/src/filters/sfrf.h
@@ -27,6 +27,7 @@
 #include <ctime>
 
 #include "actions/actions.h"
+#include "framework/counts.h"
 #include "main/policy.h"
 
 namespace snort
@@ -145,6 +146,11 @@ struct RateFilterConfig
     int internal_event_mask;
 };
 
+struct RateFilterStats
+{
+    PegCount xhash_nomem_peg = 0;
+};
+
 /*
  * Prototypes
  */

diff --git a/src/filters/sfthd.cc b/src/filters/sfthd.cc
index 2479e9e233042840d4ad8effb212cfd7486520f7..ba519086b874481eae763199be8291d72ce9081d 100644 (file)
--- a/src/filters/sfthd.cc
+++ b/src/filters/sfthd.cc
@@ -37,6 +37,7 @@
 
 #include "hash/ghash.h"
 #include "hash/xhash.h"
+#include "main/thread.h"
 #include "sfip/sf_ipvar.h"
 #include "utils/dyn_array.h"
 #include "utils/sflsq.h"
@@ -47,6 +48,8 @@ using namespace snort;
 //  Debug Printing
 //#define THD_DEBUG
 
+THREAD_LOCAL EventFilterStats event_filter_stats;
+
 XHash* sfthd_new_hash(unsigned nbytes, size_t key, size_t data)
 {
     size_t size = key + data;
@@ -910,6 +913,11 @@ int sfthd_test_local(
         /* Increment the event count */
         sfthd_ip_node->count++;
     }
+    else if (status == XHASH_NOMEM)
+    {
+        event_filter_stats.xhash_nomem_peg_local++;
+        return 1;
+    }
     else if (status != XHASH_OK)
     {
         /* hash error */
@@ -1003,6 +1011,11 @@ static inline int sfthd_test_global(
         /* Increment the event count */
         sfthd_ip_node->count++;
     }
+    else if (status == XHASH_NOMEM)
+    {
+        event_filter_stats.xhash_nomem_peg_global++;
+        return 1;
+    }
     else if (status != XHASH_OK)
     {
         /* hash error */

diff --git a/src/filters/sfthd.h b/src/filters/sfthd.h
index 07fdb380187c5e18854e5ddad19b77d16f73be70..78b08791a2fd8decce2f965f958272a6b6e4c143 100644 (file)
--- a/src/filters/sfthd.h
+++ b/src/filters/sfthd.h
@@ -23,6 +23,7 @@
 #ifndef SFTHD_H
 #define SFTHD_H
 
+#include "framework/counts.h"
 #include "main/policy.h"
 #include "sfip/sf_ip.h"
 #include "utils/cpp_macros.h"
@@ -208,6 +209,12 @@ struct ThresholdObjects
     PolicyId numPoliciesAllocated;
 };
 
+struct EventFilterStats
+{
+    PegCount xhash_nomem_peg_local = 0;
+    PegCount xhash_nomem_peg_global = 0;
+};
+
 /*
  * Prototypes
  */

diff --git a/src/main/modules.cc b/src/main/modules.cc
index 3abaa0886b1376ac4b35eb65f846312be4e15d85..fed81a21e24ad0a2652ab08d2fb2b9b78ea4259a 100644 (file)
--- a/src/main/modules.cc
+++ b/src/main/modules.cc
@@ -1555,6 +1555,14 @@ static const Parameter event_filter_params[] =
 #define event_filter_help \
     "configure thresholding of events"
 
+extern THREAD_LOCAL EventFilterStats event_filter_stats; // in sfthd.cc
+const PegInfo event_filter_peg_names[] =
+{
+    { CountType::SUM, "no_memory_local", "number of times event filter ran out of local memory" },
+    { CountType::SUM, "no_memory_global", "number of times event filter ran out of global memory" },
+    { CountType::END, nullptr, nullptr }
+};
+
 class EventFilterModule : public Module
 {
 public:
@@ -1564,6 +1572,16 @@ public:
     bool begin(const char*, int, SnortConfig*) override;
     bool end(const char*, int, SnortConfig*) override;
 
+    const PegInfo* get_pegs() const override
+    {
+        return event_filter_peg_names;
+    }
+
+    PegCount* get_counts() const override
+    {
+        return (PegCount*)&event_filter_stats;
+    }
+
     Usage get_usage() const override
     { return CONTEXT; }
 
@@ -1657,6 +1675,14 @@ static const Parameter rate_filter_params[] =
 #define rate_filter_help \
     "configure rate filters (which change rule actions)"
 
+extern THREAD_LOCAL RateFilterStats rate_filter_stats;
+const PegInfo rate_filter_peg_names[] =
+{
+    { CountType::SUM, "no_memory", "number of times rate filter ran out of memory" },
+    { CountType::END, nullptr, nullptr }
+};
+
+
 class RateFilterModule : public Module
 {
 public:
@@ -1667,6 +1693,16 @@ public:
     bool begin(const char*, int, SnortConfig*) override;
     bool end(const char*, int, SnortConfig*) override;
 
+    const PegInfo* get_pegs() const override
+    {
+        return rate_filter_peg_names;
+    }
+
+    PegCount* get_counts() const override
+    {
+        return (PegCount*)&rate_filter_stats;
+    }
+
     Usage get_usage() const override
     { return DETECT; }