config.show();
}
+unsigned OdpContext::get_pattern_count()
+{
+ return service_pattern_detector->get_pattern_count() +
+ client_pattern_detector->get_pattern_count() +
+ service_disco_mgr.get_pattern_count() +
+ client_disco_mgr.get_pattern_count() +
+ http_matchers.get_pattern_count() +
+ eve_ca_matchers.get_pattern_count() +
+ alpn_matchers.get_pattern_count() +
+ sip_matchers.get_pattern_count() +
+ ssl_matchers.get_pattern_count() +
+ ssh_matchers.get_pattern_count() +
+ dns_matchers.get_pattern_count();
+}
+
OdpContext::OdpContext(const AppIdConfig& config, SnortConfig* sc)
{
app_info_mgr.init_appid_info_table(config, sc, *this);
uint32_t first_decrypted_packet_debug = 0;
bool log_eve_process_client_mappings = false;
bool log_alpn_service_mappings = false;
+ bool log_memory_and_pattern_count = false;
#endif
bool log_stats = false;
uint32_t app_stats_period = 300;
return alpn_matchers;
}
+ unsigned get_pattern_count();
void add_port_service_id(IpProtocol, uint16_t, AppId);
void add_protocol_service_id(IpProtocol, AppId);
AppId get_port_service_id(IpProtocol, uint16_t);
#include "appid_inspector.h"
#include <openssl/crypto.h>
+#include <sys/resource.h>
#include "flow/flow.h"
+#include "log/messages.h"
#include "main/analyzer_command.h"
#include "managers/inspector_manager.h"
#include "managers/module_manager.h"
{
assert(!ctxt);
+ struct rusage ru;
+ long prev_maxrss = -1;
+ #ifdef REG_TEST
+ if ( config->log_memory_and_pattern_count )
+ {
+ #endif
+ if ( getrusage(RUSAGE_SELF, &ru) == 0 )
+ prev_maxrss = ru.ru_maxrss;
+ #ifdef REG_TEST
+ }
+ #endif
+
ctxt = new AppIdContext(const_cast<AppIdConfig&>(*config));
ctxt->init_appid(sc, *this);
+ #ifdef REG_TEST
+ if ( config->log_memory_and_pattern_count )
+ {
+ #endif
+ if ( prev_maxrss == -1 or getrusage(RUSAGE_SELF, &ru) == -1 )
+ ErrorMessage("appid: fetching memory usage failed\n");
+ else
+ LogMessage("appid: MaxRss diff: %li\n", ru.ru_maxrss - prev_maxrss);
+
+ LogMessage("appid: patterns loaded: %u\n", ctxt->get_odp_ctxt().get_pattern_count());
+ #ifdef REG_TEST
+ }
+ #endif
+
DataBus::subscribe_global(http_pub_key, HttpEventIds::REQUEST_HEADER,
new HttpEventHandler(HttpEventHandler::REQUEST_EVENT, *this), *sc);
#include <climits>
#include <lua.hpp>
+#include <sys/resource.h>
#include "control/control.h"
#include "host_tracker/host_cache.h"
"enable logging of encrypted visibility engine process to client mappings" },
{ "log_alpn_service_mappings", Parameter::PT_BOOL, nullptr, "false",
"enable logging of alpn service mappings" },
+ { "log_memory_and_pattern_count", Parameter::PT_BOOL, nullptr, "false",
+ "enable logging of memory usage and pattern counts" },
#endif
{ "memcap", Parameter::PT_INT, "1024:maxSZ", "1048576",
"max size of the service cache before we start pruning the cache" },
ctrlcon->respond(".. reloading detectors\n");
+ struct rusage ru;
+ long prev_maxrss = -1;
+ #ifdef REG_TEST
+ if ( inspector->get_config().log_memory_and_pattern_count )
+ {
+ #endif
+ getrusage(RUSAGE_SELF, &ru);
+ prev_maxrss = ru.ru_maxrss;
+ #ifdef REG_TEST
+ }
+ #endif
+
AppIdContext& ctxt = inspector->get_ctxt();
OdpContext& old_odp_ctxt = ctxt.get_odp_ctxt();
ServiceDiscovery::clear_ftp_service_state();
ctrlcon->respond("== swapping detectors configuration\n");
ReloadTracker::update(ctrlcon, "swapping detectors configuration");
+
+ #ifdef REG_TEST
+ if ( inspector->get_config().log_memory_and_pattern_count )
+ {
+ #endif
+ getrusage(RUSAGE_SELF, &ru);
+ LogMessage("appid: MaxRss diff: %li\n", ru.ru_maxrss - prev_maxrss);
+ LogMessage("appid: patterns loaded: %u\n", odp_ctxt.get_pattern_count());
+ #ifdef REG_TEST
+ }
+ #endif
+
main_broadcast_command(new ACOdpContextSwap(*inspector, old_odp_ctxt, ctrlcon), ctrlcon);
return 0;
}
config->log_eve_process_client_mappings = v.get_bool();
else if (v.is("log_alpn_service_mappings") )
config->log_alpn_service_mappings = v.get_bool();
+ else if (v.is("log_memory_and_pattern_count") )
+ config->log_memory_and_pattern_count = v.get_bool();
else
#endif
if ( v.is("memcap") )
udp_patterns.reload();
}
+unsigned ClientDiscovery::get_pattern_count()
+{
+ return tcp_pattern_count + udp_pattern_count;
+}
+
/*
* Callback function for string search
*
void finalize_client_patterns();
void reload_client_patterns();
+ unsigned get_pattern_count();
bool do_client_discovery(AppIdSession&, snort::Packet*,
AppidSessionDirection direction, AppidChangeBits& change_bits);
eve_ca_pattern_matcher.reload();
}
+unsigned EveCaPatternMatchers::get_pattern_count()
+{
+ return eve_ca_load_list.size();
+}
void add_eve_ca_pattern(AppId, const std::string&, uint8_t, const std::string&);
void finalize_patterns();
void reload_patterns();
+ unsigned get_pattern_count();
const EveCaPatternList& get_eve_ca_load_list() const { return eve_ca_load_list; }
{
if (pattern->data && pattern->length)
{
+ pattern_count++;
if (ps->proto == IpProtocol::TCP)
{
handler->register_tcp_pattern(this, pattern->data, pattern->length,
else
{
for (Pattern* pattern = ps->pattern; pattern; pattern = pattern->next)
+ {
+ pattern_count++;
ps->count++;
+ }
}
}
udp_pattern_matcher->reload();
}
+unsigned PatternServiceDetector::get_pattern_count()
+{
+ return pattern_count;
+}
+
PatternServiceDetector::PatternServiceDetector(ServiceDiscovery* sd)
{
handler = sd;
{
if (pattern->data && pattern->length)
{
+ pattern_count++;
if (ps->proto == IpProtocol::TCP)
{
handler->register_tcp_pattern(this, pattern->data, pattern->length,
udp_pattern_matcher->reload();
}
+unsigned PatternClientDetector::get_pattern_count()
+{
+ return pattern_count;
+}
void insert_client_port_pattern(PortPatternNode*);
void finalize_client_port_patterns(AppIdInspector&);
void reload_client_port_patterns();
+ unsigned get_pattern_count();
int validate(AppIdDiscoveryArgs&) override;
PatternService* service_port_pattern = nullptr;
snort::SearchTool* tcp_pattern_matcher = nullptr;
snort::SearchTool* udp_pattern_matcher = nullptr;
+ unsigned pattern_count = 0;
};
class PatternServiceDetector : public ServiceDetector
void insert_service_port_pattern(PortPatternNode*);
void finalize_service_port_patterns(AppIdInspector&);
void reload_service_port_patterns();
+ unsigned get_pattern_count();
int validate(AppIdDiscoveryArgs&) override;
snort::SearchTool* udp_pattern_matcher = nullptr;
snort::SearchTool* tcp_port_pattern_tree[65536] = { };
snort::SearchTool* udp_port_pattern_tree[65536] = { };
+ unsigned pattern_count = 0;
};
#endif
/* Add patterns from Lua API */
for (element = dns_host_pattern_list; element; element = element->next)
{
+ pattern_count++;
dns_host_matcher.add((char*)element->dpattern->pattern,
element->dpattern->pattern_size, element->dpattern, true);
}
dns_host_matcher.reload();
}
+unsigned DnsPatternMatchers::get_pattern_count()
+{
+ return pattern_count;
+}
+
DnsPatternMatchers::~DnsPatternMatchers()
{
DnsHostPatternList* tmp_pattern;
void add_host_pattern(uint8_t*, size_t, uint8_t, AppId);
void finalize_patterns();
void reload_patterns();
+ unsigned get_pattern_count();
int scan_hostname(const uint8_t*, size_t, AppId&, AppId&);
private:
DnsHostPatternList* dns_host_pattern_list = nullptr;
snort::SearchTool dns_host_matcher = snort::SearchTool();
+ unsigned pattern_count = 0;
};
#endif
tmp_chpa = tmp_chpa->next;
tmp_chpa->next = chpa;
}
+ chp_pattern_count++;
}
void HttpPatternMatchers::insert_http_pattern(enum httpPatternType pType,
chp_matchers[i].reload();
}
+unsigned HttpPatternMatchers::get_pattern_count()
+{
+ return chp_pattern_count +
+ client_agent_patterns.size() +
+ content_type_patterns.size() +
+ url_patterns.size() +
+ host_url_patterns.size();
+}
+
static inline void free_matched_patterns(MatchedPatterns* mp)
{
while (mp)
int finalize_patterns();
void reload_patterns();
+ unsigned get_pattern_count();
void insert_chp_pattern(CHPListElement*);
void insert_http_pattern(enum httpPatternType, DetectorHTTPPattern&);
void remove_http_patterns_for_id(AppId);
snort::SearchTool chp_matchers[NUM_HTTP_FIELDS];
tMlmpTree* host_url_matcher = nullptr;
tMlmpTree* rtmp_host_url_matcher = nullptr;
+ unsigned chp_pattern_count = 0;
void free_chp_app_elements();
int add_mlmp_pattern(tMlmpTree* matcher, DetectorHTTPPattern& pattern );
for ( pattern_node = sip_ua_list; pattern_node; pattern_node =
pattern_node->next )
{
+ pattern_count++;
num_patterns = odp_ctxt.get_http_matchers().parse_multiple_http_patterns(
(const char*)pattern_node->pattern.pattern, patterns, PATTERN_PART_MAX, 0);
patterns[num_patterns].pattern = nullptr;
for ( pattern_node = sip_server_list; pattern_node; pattern_node =
pattern_node->next )
{
+ pattern_count++;
num_patterns = odp_ctxt.get_http_matchers().parse_multiple_http_patterns(
(const char*)pattern_node->pattern.pattern, patterns, PATTERN_PART_MAX, 0);
patterns[num_patterns].pattern = nullptr;
mlmp_reload_patterns(*sip_server_matcher);
}
+unsigned SipPatternMatchers::get_pattern_count()
+{
+ return pattern_count;
+}
+
int SipPatternMatchers::get_client_from_ua(const char* pattern, uint32_t pattern_len,
AppId& client_id, char*& client_version)
{
int get_client_from_server(const char*, uint32_t, AppId&, char*&);
void finalize_patterns(OdpContext&);
void reload_patterns();
+ unsigned get_pattern_count();
private:
static const int PATTERN_PART_MAX = 10;
DetectorAppSipPattern* sip_ua_list = nullptr;
tMlmpTree* sip_server_matcher = nullptr;
DetectorAppSipPattern* sip_server_list = nullptr;
+ unsigned pattern_count = 0;
};
#endif
{
return ssh_patterns.at(pattern);
}
+
+unsigned SshPatternMatchers::get_pattern_count()
+{
+ return ssh_patterns.size();
+}
bool has_pattern(const std::string& pattern) const;
bool empty() const;
AppId get_appid(const std::string& pattern) const;
+ unsigned get_pattern_count();
private:
SshPatternTable ssh_patterns;
};
using namespace snort;
-static void create_matcher(SearchTool& matcher, SslPatternList* list, CnameCache& set)
+static void create_matcher(SearchTool& matcher, SslPatternList* list, CnameCache& set, unsigned& pattern_count)
{
size_t* pattern_index;
size_t size = 0;
element->dpattern->pattern_size, element->dpattern, true);
(*pattern_index)++;
}
-
+ pattern_count = size;
matcher.prep();
}
void SslPatternMatchers::finalize_patterns()
{
- create_matcher(ssl_host_matcher, cert_pattern_list, cert_pattern_set);
+ create_matcher(ssl_host_matcher, cert_pattern_list, cert_pattern_set, pattern_count);
cert_pattern_set.clear();
}
ssl_host_matcher.reload();
}
+unsigned SslPatternMatchers::get_pattern_count()
+{
+ return pattern_count;
+}
+
bool SslPatternMatchers::scan_hostname(const uint8_t* hostname, size_t size, AppId& client_id, AppId& payload_id)
{
return scan_patterns(ssl_host_matcher, hostname, size, client_id, payload_id, false);
void add_cert_pattern(uint8_t*, size_t, uint8_t, AppId, bool);
void finalize_patterns();
void reload_patterns();
+ unsigned get_pattern_count();
bool scan_hostname(const uint8_t*, size_t, AppId&, AppId&);
bool scan_cname(const uint8_t*, size_t, AppId&, AppId&);
SslPatternList* cert_pattern_list = nullptr;
CnameCache cert_pattern_set;
snort::SearchTool ssl_host_matcher = snort::SearchTool();
+ unsigned pattern_count = 0;
};
#endif
alpn_pattern_matcher.reload();
}
+unsigned AlpnPatternMatchers::get_pattern_count()
+{
+ return alpn_load_list.size();
+}
void add_alpn_pattern(AppId, const std::string&, const std::string&);
void finalize_patterns();
void reload_patterns();
+ unsigned get_pattern_count();
const AlpnPatternList& get_alpn_load_list() const { return alpn_load_list; }
udp_patterns.reload();
}
+unsigned ServiceDiscovery::get_pattern_count()
+{
+ return tcp_pattern_count + udp_pattern_count;
+}
+
int ServiceDiscovery::add_service_port(AppIdDetector* detector, const ServiceDetectorPort& pp)
{
ServiceDetector* service = static_cast<ServiceDetector*>(detector);
void reload() override;
void finalize_service_patterns();
void reload_service_patterns();
+ unsigned get_pattern_count();
int add_service_port(AppIdDetector*, const ServiceDetectorPort&) override;
AppIdDetectorsIterator get_detector_iterator(IpProtocol);
projects / thirdparty / snort3.git / commitdiff
