From: Juliana Fajardini Date: Wed, 20 Apr 2022 16:49:31 +0000 (-0300) Subject: detect/stats: log out total of suppressed alerts X-Git-Tag: suricata-6.0.6~111 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0ca01f50031365cb60536887fcf615eb5109d358;p=thirdparty%2Fsuricata.git detect/stats: log out total of suppressed alerts Related to Task #4943 Task #5179 (cherry picked from commit 877b32c1e42c6edde3fa5f6ab73293e0a4ad27c3) --- diff --git a/src/decode.h b/src/decode.h index f44aac4232..3a433ca5c5 100644 --- a/src/decode.h +++ b/src/decode.h @@ -298,6 +298,7 @@ extern uint16_t packet_alert_max; typedef struct PacketAlerts_ { uint16_t cnt; uint16_t discarded; + uint16_t suppressed; PacketAlert *alerts; /* single pa used when we're dropping, * so we can log it out in the drop log. */ @@ -824,6 +825,7 @@ void CaptureStatsSetup(ThreadVars *tv, CaptureStats *s); (p)->pktlen = 0; \ (p)->alerts.cnt = 0; \ (p)->alerts.discarded = 0; \ + (p)->alerts.suppressed = 0; \ (p)->alerts.drop.action = 0; \ (p)->pcap_cnt = 0; \ (p)->tunnel_rtv_cnt = 0; \ diff --git a/src/detect-engine-alert.c b/src/detect-engine-alert.c index ede6ffd0d0..9c5a25506f 100644 --- a/src/detect-engine-alert.c +++ b/src/detect-engine-alert.c @@ -368,7 +368,7 @@ void PacketAlertFinalize(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx /* Thresholding removes this alert */ if (res == 0 || res == 2 || (s->flags & SIG_FLAG_NOALERT)) { /* we will not copy this to the AlertQueue */ - p->alerts.discarded++; + p->alerts.suppressed++; } else if (p->alerts.cnt < packet_alert_max) { p->alerts.alerts[p->alerts.cnt] = det_ctx->alert_queue[i]; SCLogDebug("Appending sid %" PRIu32 " alert to Packet::alerts at pos %u", s->id, i); diff --git a/src/detect-engine.c b/src/detect-engine.c index a58b2e1ccd..b7b2ed9ef1 100644 --- a/src/detect-engine.c +++ b/src/detect-engine.c @@ -2876,6 +2876,7 @@ TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data) /** alert counter setup */ det_ctx->counter_alerts = StatsRegisterCounter("detect.alert", tv); det_ctx->counter_alerts_overflow = StatsRegisterCounter("detect.alert_queue_overflow", tv); + det_ctx->counter_alerts_suppressed = StatsRegisterCounter("detect.alerts_suppressed", tv); #ifdef PROFILING det_ctx->counter_mpm_list = StatsRegisterAvgCounter("detect.mpm_list", tv); det_ctx->counter_nonmpm_list = StatsRegisterAvgCounter("detect.nonmpm_list", tv); diff --git a/src/detect.c b/src/detect.c index 98598073d7..7b2ffaaedb 100644 --- a/src/detect.c +++ b/src/detect.c @@ -822,6 +822,7 @@ static DetectRunScratchpad DetectRunSetup( #ifdef UNITTESTS p->alerts.cnt = 0; p->alerts.discarded = 0; + p->alerts.suppressed = 0; #endif det_ctx->ticker++; det_ctx->filestore_cnt = 0; @@ -934,6 +935,9 @@ static inline void DetectRunPostRules( if (p->alerts.discarded > 0) { StatsAddUI64(tv, det_ctx->counter_alerts_overflow, (uint64_t)p->alerts.discarded); } + if (p->alerts.suppressed > 0) { + StatsAddUI64(tv, det_ctx->counter_alerts_suppressed, (uint64_t)p->alerts.suppressed); + } PACKET_PROFILING_DETECT_END(p, PROF_DETECT_ALERT); } diff --git a/src/detect.h b/src/detect.h index d010f83d10..41c69e5e73 100644 --- a/src/detect.h +++ b/src/detect.h @@ -1053,8 +1053,10 @@ typedef struct DetectEngineThreadCtx_ { /** id for alert counter */ uint16_t counter_alerts; - /** id for discarded alerts counter**/ + /** id for discarded alerts counter */ uint16_t counter_alerts_overflow; + /** id for suppressed alerts counter */ + uint16_t counter_alerts_suppressed; #ifdef PROFILING uint16_t counter_mpm_list; uint16_t counter_nonmpm_list;