From: Juliana Fajardini Date: Tue, 5 Apr 2022 19:54:29 +0000 (-0300) Subject: detect/stats: log out total of discarded alerts X-Git-Tag: suricata-6.0.6~112 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=04eefa5ab8008c06c8c19e56b06774d07bab91c7;p=thirdparty%2Fsuricata.git detect/stats: log out total of discarded alerts Add a counter to our stats log with the total of alerts that have been discarded due to packet alert queue overflow. Task #5179 (cherry picked from commit 8616c90fe7573815137a1dbc7fdfeded95f2b38f) --- diff --git a/src/decode.h b/src/decode.h index 2506a1d4b8..f44aac4232 100644 --- a/src/decode.h +++ b/src/decode.h @@ -297,6 +297,7 @@ extern uint16_t packet_alert_max; typedef struct PacketAlerts_ { uint16_t cnt; + uint16_t discarded; PacketAlert *alerts; /* single pa used when we're dropping, * so we can log it out in the drop log. */ @@ -768,72 +769,74 @@ void CaptureStatsSetup(ThreadVars *tv, CaptureStats *s); /** * \brief Recycle a packet structure for reuse. */ -#define PACKET_REINIT(p) do { \ - CLEAR_ADDR(&(p)->src); \ - CLEAR_ADDR(&(p)->dst); \ - (p)->sp = 0; \ - (p)->dp = 0; \ - (p)->proto = 0; \ - (p)->recursion_level = 0; \ - PACKET_FREE_EXTDATA((p)); \ - (p)->flags = (p)->flags & PKT_ALLOC; \ - (p)->flowflags = 0; \ - (p)->pkt_src = 0; \ - (p)->vlan_id[0] = 0; \ - (p)->vlan_id[1] = 0; \ - (p)->vlan_idx = 0; \ - (p)->ts.tv_sec = 0; \ - (p)->ts.tv_usec = 0; \ - (p)->datalink = 0; \ - (p)->action = 0; \ - if ((p)->pktvar != NULL) { \ - PktVarFree((p)->pktvar); \ - (p)->pktvar = NULL; \ - } \ - (p)->ethh = NULL; \ - if ((p)->ip4h != NULL) { \ - CLEAR_IPV4_PACKET((p)); \ - } \ - if ((p)->ip6h != NULL) { \ - CLEAR_IPV6_PACKET((p)); \ - } \ - if ((p)->tcph != NULL) { \ - CLEAR_TCP_PACKET((p)); \ - } \ - if ((p)->udph != NULL) { \ - CLEAR_UDP_PACKET((p)); \ - } \ - if ((p)->sctph != NULL) { \ - CLEAR_SCTP_PACKET((p)); \ - } \ - if ((p)->icmpv4h != NULL) { \ - CLEAR_ICMPV4_PACKET((p)); \ - } \ - if ((p)->icmpv6h != NULL) { \ - CLEAR_ICMPV6_PACKET((p)); \ - } \ - (p)->ppph = NULL; \ - (p)->pppoesh = NULL; \ - (p)->pppoedh = NULL; \ - (p)->greh = NULL; \ - (p)->payload = NULL; \ - (p)->payload_len = 0; \ - (p)->BypassPacketsFlow = NULL; \ - (p)->pktlen = 0; \ - (p)->alerts.cnt = 0; \ - (p)->alerts.drop.action = 0; \ - (p)->pcap_cnt = 0; \ - (p)->tunnel_rtv_cnt = 0; \ - (p)->tunnel_tpr_cnt = 0; \ - (p)->events.cnt = 0; \ - AppLayerDecoderEventsResetEvents((p)->app_layer_events); \ - (p)->next = NULL; \ - (p)->prev = NULL; \ - (p)->root = NULL; \ - (p)->livedev = NULL; \ - PACKET_RESET_CHECKSUMS((p)); \ - PACKET_PROFILING_RESET((p)); \ - p->tenant_id = 0; \ +#define PACKET_REINIT(p) \ + do { \ + CLEAR_ADDR(&(p)->src); \ + CLEAR_ADDR(&(p)->dst); \ + (p)->sp = 0; \ + (p)->dp = 0; \ + (p)->proto = 0; \ + (p)->recursion_level = 0; \ + PACKET_FREE_EXTDATA((p)); \ + (p)->flags = (p)->flags & PKT_ALLOC; \ + (p)->flowflags = 0; \ + (p)->pkt_src = 0; \ + (p)->vlan_id[0] = 0; \ + (p)->vlan_id[1] = 0; \ + (p)->vlan_idx = 0; \ + (p)->ts.tv_sec = 0; \ + (p)->ts.tv_usec = 0; \ + (p)->datalink = 0; \ + (p)->action = 0; \ + if ((p)->pktvar != NULL) { \ + PktVarFree((p)->pktvar); \ + (p)->pktvar = NULL; \ + } \ + (p)->ethh = NULL; \ + if ((p)->ip4h != NULL) { \ + CLEAR_IPV4_PACKET((p)); \ + } \ + if ((p)->ip6h != NULL) { \ + CLEAR_IPV6_PACKET((p)); \ + } \ + if ((p)->tcph != NULL) { \ + CLEAR_TCP_PACKET((p)); \ + } \ + if ((p)->udph != NULL) { \ + CLEAR_UDP_PACKET((p)); \ + } \ + if ((p)->sctph != NULL) { \ + CLEAR_SCTP_PACKET((p)); \ + } \ + if ((p)->icmpv4h != NULL) { \ + CLEAR_ICMPV4_PACKET((p)); \ + } \ + if ((p)->icmpv6h != NULL) { \ + CLEAR_ICMPV6_PACKET((p)); \ + } \ + (p)->ppph = NULL; \ + (p)->pppoesh = NULL; \ + (p)->pppoedh = NULL; \ + (p)->greh = NULL; \ + (p)->payload = NULL; \ + (p)->payload_len = 0; \ + (p)->BypassPacketsFlow = NULL; \ + (p)->pktlen = 0; \ + (p)->alerts.cnt = 0; \ + (p)->alerts.discarded = 0; \ + (p)->alerts.drop.action = 0; \ + (p)->pcap_cnt = 0; \ + (p)->tunnel_rtv_cnt = 0; \ + (p)->tunnel_tpr_cnt = 0; \ + (p)->events.cnt = 0; \ + AppLayerDecoderEventsResetEvents((p)->app_layer_events); \ + (p)->next = NULL; \ + (p)->prev = NULL; \ + (p)->root = NULL; \ + (p)->livedev = NULL; \ + PACKET_RESET_CHECKSUMS((p)); \ + PACKET_PROFILING_RESET((p)); \ + p->tenant_id = 0; \ p->nb_decoded_layers = 0; \ } while (0) diff --git a/src/detect-engine-alert.c b/src/detect-engine-alert.c index 5d64a7fb34..ede6ffd0d0 100644 --- a/src/detect-engine-alert.c +++ b/src/detect-engine-alert.c @@ -266,6 +266,7 @@ void AlertQueueAppend(DetectEngineThreadCtx *det_ctx, const Signature *s, Packet /* we must grow the alert queue */ if (pos == AlertQueueExpand(det_ctx)) { /* this means we failed to expand the queue */ + det_ctx->p->alerts.discarded++; return; } } @@ -367,6 +368,7 @@ void PacketAlertFinalize(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx /* Thresholding removes this alert */ if (res == 0 || res == 2 || (s->flags & SIG_FLAG_NOALERT)) { /* we will not copy this to the AlertQueue */ + p->alerts.discarded++; } else if (p->alerts.cnt < packet_alert_max) { p->alerts.alerts[p->alerts.cnt] = det_ctx->alert_queue[i]; SCLogDebug("Appending sid %" PRIu32 " alert to Packet::alerts at pos %u", s->id, i); @@ -377,6 +379,8 @@ void PacketAlertFinalize(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx break; } p->alerts.cnt++; + } else { + p->alerts.discarded++; } i++; } diff --git a/src/detect-engine.c b/src/detect-engine.c index 486bb9d67d..a58b2e1ccd 100644 --- a/src/detect-engine.c +++ b/src/detect-engine.c @@ -2875,6 +2875,7 @@ TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data) /** alert counter setup */ det_ctx->counter_alerts = StatsRegisterCounter("detect.alert", tv); + det_ctx->counter_alerts_overflow = StatsRegisterCounter("detect.alert_queue_overflow", tv); #ifdef PROFILING det_ctx->counter_mpm_list = StatsRegisterAvgCounter("detect.mpm_list", tv); det_ctx->counter_nonmpm_list = StatsRegisterAvgCounter("detect.nonmpm_list", tv); diff --git a/src/detect.c b/src/detect.c index 127a914ec4..98598073d7 100644 --- a/src/detect.c +++ b/src/detect.c @@ -821,6 +821,7 @@ static DetectRunScratchpad DetectRunSetup( #ifdef UNITTESTS p->alerts.cnt = 0; + p->alerts.discarded = 0; #endif det_ctx->ticker++; det_ctx->filestore_cnt = 0; @@ -930,6 +931,9 @@ static inline void DetectRunPostRules( if (p->alerts.cnt > 0) { StatsAddUI64(tv, det_ctx->counter_alerts, (uint64_t)p->alerts.cnt); } + if (p->alerts.discarded > 0) { + StatsAddUI64(tv, det_ctx->counter_alerts_overflow, (uint64_t)p->alerts.discarded); + } PACKET_PROFILING_DETECT_END(p, PROF_DETECT_ALERT); } diff --git a/src/detect.h b/src/detect.h index cf61250247..d010f83d10 100644 --- a/src/detect.h +++ b/src/detect.h @@ -1053,6 +1053,8 @@ typedef struct DetectEngineThreadCtx_ { /** id for alert counter */ uint16_t counter_alerts; + /** id for discarded alerts counter**/ + uint16_t counter_alerts_overflow; #ifdef PROFILING uint16_t counter_mpm_list; uint16_t counter_nonmpm_list;