typedef struct PacketAlerts_ {
uint16_t cnt;
+ uint16_t discarded;
PacketAlert *alerts;
/* single pa used when we're dropping,
* so we can log it out in the drop log. */
(p)->BypassPacketsFlow = NULL; \
(p)->pktlen = 0; \
(p)->alerts.cnt = 0; \
+ (p)->alerts.discarded = 0; \
(p)->alerts.drop.action = 0; \
(p)->pcap_cnt = 0; \
(p)->tunnel_rtv_cnt = 0; \
/* we must grow the alert queue */
if (pos == AlertQueueExpand(det_ctx)) {
/* this means we failed to expand the queue */
+ det_ctx->p->alerts.discarded++;
return;
}
}
/* Thresholding removes this alert */
if (res == 0 || res == 2 || (s->flags & SIG_FLAG_NOALERT)) {
/* we will not copy this to the AlertQueue */
+ p->alerts.discarded++;
} else if (p->alerts.cnt < packet_alert_max) {
p->alerts.alerts[p->alerts.cnt] = det_ctx->alert_queue[i];
SCLogDebug("Appending sid %" PRIu32 " alert to Packet::alerts at pos %u", s->id, i);
break;
}
p->alerts.cnt++;
+ } else {
+ p->alerts.discarded++;
}
i++;
}
/** alert counter setup */
det_ctx->counter_alerts = StatsRegisterCounter("detect.alert", tv);
+ det_ctx->counter_alerts_overflow = StatsRegisterCounter("detect.alert_queue_overflow", tv);
#ifdef PROFILING
det_ctx->counter_mpm_list = StatsRegisterAvgCounter("detect.mpm_list", tv);
det_ctx->counter_nonmpm_list = StatsRegisterAvgCounter("detect.nonmpm_list", tv);
#ifdef UNITTESTS
p->alerts.cnt = 0;
+ p->alerts.discarded = 0;
#endif
det_ctx->filestore_cnt = 0;
det_ctx->base64_decoded_len = 0;
if (p->alerts.cnt > 0) {
StatsAddUI64(tv, det_ctx->counter_alerts, (uint64_t)p->alerts.cnt);
}
+ if (p->alerts.discarded > 0) {
+ StatsAddUI64(tv, det_ctx->counter_alerts_overflow, (uint64_t)p->alerts.discarded);
+ }
PACKET_PROFILING_DETECT_END(p, PROF_DETECT_ALERT);
}
/** id for alert counter */
uint16_t counter_alerts;
+ /** id for discarded alerts counter**/
+ uint16_t counter_alerts_overflow;
#ifdef PROFILING
uint16_t counter_mpm_list;
uint16_t counter_nonmpm_list;
projects / thirdparty / suricata.git / commitdiff
