lua: add logging and counter for instruction limit being exceeded

author Jason Ish <jason.ish@oisf.net>

Fri, 24 May 2024 21:57:08 +0000 (15:57 -0600)

committer Jason Ish <jason.ish@oisf.net>

Mon, 27 May 2024 22:44:54 +0000 (16:44 -0600)
author Jason Ish <jason.ish@oisf.net>
Fri, 24 May 2024 21:57:08 +0000 (15:57 -0600)
committer Jason Ish <jason.ish@oisf.net>
Mon, 27 May 2024 22:44:54 +0000 (16:44 -0600)
diff --git a/etc/schema.json b/etc/schema.json

index 25bf6ad26f610f87f4f42935df0e469aec3828e7..7c0e9afcef9956903862b71d392292bad769eff5 100644 (file)
--- a/etc/schema.json
+++ b/etc/schema.json
@@ -5244,6 +5244,10 @@
                                      "description": "Counter for Lua scripts failing due to blocked functions being called",
                                      "type": "integer"
                                  },
+                                "instruction_limit_errors": {
+                                    "description": "Count of Lua rules exceeding the instruction limit",
+                                    "type": "integer"
+                                },
                                  "errors": {
                                      "description": "Errors encountered while running Lua scripts",
                                      "type": "integer"
diff --git a/src/detect-engine.c b/src/detect-engine.c

index 19effcbbaeb16ae8e69a2626b8c8f5227afb9809..b5b36703a32773a118b26ce5dcce9809f80446b4 100644 (file)
--- a/src/detect-engine.c
+++ b/src/detect-engine.c
@@ -3339,6 +3339,10 @@ TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
      det_ctx->lua_blocked_function_errors =
              StatsRegisterCounter("detect.lua.blocked_function_errors", tv);
  
+    /* Register a counter for Lua instruction limit errors. */
+    det_ctx->lua_instruction_limit_errors =
+            StatsRegisterCounter("detect.lua.instruction_limit_errors", tv);
+
  #ifdef PROFILING
      det_ctx->counter_mpm_list = StatsRegisterAvgCounter("detect.mpm_list", tv);
      det_ctx->counter_nonmpm_list = StatsRegisterAvgCounter("detect.nonmpm_list", tv);
diff --git a/src/detect-lua.c b/src/detect-lua.c

index 47cf1428718432e6988f416beb6c87ca1912cd62..8f6907814e03b39597dc04d8c0a012b99037cb25 100644 (file)
--- a/src/detect-lua.c
+++ b/src/detect-lua.c
@@ -124,6 +124,7 @@ void DetectLuaRegister(void)
  #define FLAG_DATATYPE_BUFFER                    BIT_U32(22)
  #define FLAG_ERROR_LOGGED                       BIT_U32(23)
  #define FLAG_BLOCKED_FUNCTION_LOGGED            BIT_U32(24)
+#define FLAG_INSTRUCTION_LIMIT_LOGGED           BIT_U32(25)
  
  #define DEFAULT_LUA_ALLOC_LIMIT       500000
  #define DEFAULT_LUA_INSTRUCTION_LIMIT 500000
@@ -181,6 +182,9 @@ static int DetectLuaRunMatch(
          if (context->blocked_function_error) {
              StatsIncr(det_ctx->tv, det_ctx->lua_blocked_function_errors);
              flag = FLAG_BLOCKED_FUNCTION_LOGGED;
+        } else if (context->instruction_count_error) {
+            StatsIncr(det_ctx->tv, det_ctx->lua_instruction_limit_errors);
+            flag = FLAG_INSTRUCTION_LIMIT_LOGGED;
          } else {
              flag = FLAG_ERROR_LOGGED;
          }
diff --git a/src/detect.h b/src/detect.h

index 6ce0ec8883ef26a2678d871a03fe66dc29a8f085..49570b7317eb3dd2d01bb65ff6af44f12f0882e5 100644 (file)
--- a/src/detect.h
+++ b/src/detect.h
@@ -1242,6 +1242,9 @@ typedef struct DetectEngineThreadCtx_ {
      /** stats id for lua blocked function counts */
      uint16_t lua_blocked_function_errors;
  
+    /** stats if for lua instruction limit errors */
+    uint16_t lua_instruction_limit_errors;
+
  #ifdef DEBUG
      uint64_t pkt_stream_add_cnt;
      uint64_t payload_mpm_cnt;
diff --git a/src/util-lua-sandbox.c b/src/util-lua-sandbox.c

index bd59dc95d06c9e58ea0e2e7ce4b706c8345df684..c13fdaf5dd6c492af698ece449ffb36dd61f8aeb 100644 (file)
--- a/src/util-lua-sandbox.c
+++ b/src/util-lua-sandbox.c
@@ -346,8 +346,8 @@ static void HookFunc(lua_State *L, lua_Debug *ar)
      sb->instruction_count += sb->hook_instruction_count;
  
      if (sb->instruction_limit > 0 && sb->instruction_count > sb->instruction_limit) {
-        // TODO: do we care enough for a full traceback here?
-        luaL_error(L, "Instruction limit exceeded");
+        sb->instruction_count_error = true;
+        luaL_error(L, "instruction limit exceeded");
      }
  }
  
@@ -359,6 +359,7 @@ void SCLuaSbResetInstructionCounter(lua_State *L)
      SCLuaSbState *sb = SCLuaSbGetContext(L);
      if (sb != NULL) {
          sb->blocked_function_error = false;
+        sb->instruction_count_error = false;
          sb->instruction_count = 0;
          lua_sethook(L, HookFunc, LUA_MASKCOUNT, sb->hook_instruction_count);
      }
diff --git a/src/util-lua-sandbox.h b/src/util-lua-sandbox.h

index 6551016738fb6daeecc0cffdcab9db68218e5730..f16604933021fa6f3f62582552c0346d4eccfa3f 100644 (file)
--- a/src/util-lua-sandbox.h
+++ b/src/util-lua-sandbox.h
@@ -51,6 +51,7 @@ typedef struct SCLuaSbState {
  
      /* Errors. */
      bool blocked_function_error;
+    bool instruction_count_error;
  } SCLuaSbState;
  
  /*
author	Jason Ish <jason.ish@oisf.net>
	Fri, 24 May 2024 21:57:08 +0000 (15:57 -0600)
committer	Jason Ish <jason.ish@oisf.net>
	Mon, 27 May 2024 22:44:54 +0000 (16:44 -0600)
etc/schema.json		patch \| blob \| blame \| history
src/detect-engine.c		patch \| blob \| blame \| history
src/detect-lua.c		patch \| blob \| blame \| history
src/detect.h		patch \| blob \| blame \| history
src/util-lua-sandbox.c		patch \| blob \| blame \| history
src/util-lua-sandbox.h		patch \| blob \| blame \| history