From: Mike Stepanek (mstepane) Date: Mon, 20 May 2019 17:30:52 +0000 (-0400) Subject: Merge pull request #1607 in SNORT/snort3 from ~SMINUT/snort3:filters_xhash_peg to... X-Git-Tag: 3.0.0-256~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=17b5eab70bf107a6bb634e22706417cfeb066f99;p=thirdparty%2Fsnort3.git Merge pull request #1607 in SNORT/snort3 from ~SMINUT/snort3:filters_xhash_peg to master Squashed commit of the following: commit 6182a08ddbac76285aad2bd3194282f5402075da Author: Silviu Minut Date: Wed May 15 09:40:34 2019 -0400 filters: add peg count for when the thd_runtime XHash table gets full. --- diff --git a/src/filters/sfrf.cc b/src/filters/sfrf.cc index 62a469ab9..522003823 100644 --- a/src/filters/sfrf.cc +++ b/src/filters/sfrf.cc @@ -47,6 +47,9 @@ using namespace snort; #define SFRF_NO_REVERT_LIMIT 1000 // private data ... + +THREAD_LOCAL RateFilterStats rate_filter_stats; + /* Key to find tracking nodes in trackingHash. */ PADDING_GUARD_BEGIN @@ -793,7 +796,14 @@ static tSFRFTrackingNode* _getSFRFTrackingNode(const snort::SfIp* ip, unsigned t * Check for any Permanent sid objects for this gid or add this one ... */ XHashNode* hnode = xhash_get_node(rf_hash, (void*)&key); - if ( hnode && hnode->data ) + if ( !hnode ) + { + // xhash_get_node fails to insert only if rf_hash is full. + rate_filter_stats.xhash_nomem_peg++; + return dynNode; + } + + if ( hnode->data ) { dynNode = (tSFRFTrackingNode*)hnode->data; diff --git a/src/filters/sfrf.h b/src/filters/sfrf.h index eb3c6014b..5c8c79fcc 100644 --- a/src/filters/sfrf.h +++ b/src/filters/sfrf.h @@ -27,6 +27,7 @@ #include #include "actions/actions.h" +#include "framework/counts.h" #include "main/policy.h" namespace snort @@ -145,6 +146,11 @@ struct RateFilterConfig int internal_event_mask; }; +struct RateFilterStats +{ + PegCount xhash_nomem_peg = 0; +}; + /* * Prototypes */ diff --git a/src/filters/sfthd.cc b/src/filters/sfthd.cc index 2479e9e23..ba519086b 100644 --- a/src/filters/sfthd.cc +++ b/src/filters/sfthd.cc @@ -37,6 +37,7 @@ #include "hash/ghash.h" #include "hash/xhash.h" +#include "main/thread.h" #include "sfip/sf_ipvar.h" #include "utils/dyn_array.h" #include "utils/sflsq.h" @@ -47,6 +48,8 @@ using namespace snort; // Debug Printing //#define THD_DEBUG +THREAD_LOCAL EventFilterStats event_filter_stats; + XHash* sfthd_new_hash(unsigned nbytes, size_t key, size_t data) { size_t size = key + data; @@ -910,6 +913,11 @@ int sfthd_test_local( /* Increment the event count */ sfthd_ip_node->count++; } + else if (status == XHASH_NOMEM) + { + event_filter_stats.xhash_nomem_peg_local++; + return 1; + } else if (status != XHASH_OK) { /* hash error */ @@ -1003,6 +1011,11 @@ static inline int sfthd_test_global( /* Increment the event count */ sfthd_ip_node->count++; } + else if (status == XHASH_NOMEM) + { + event_filter_stats.xhash_nomem_peg_global++; + return 1; + } else if (status != XHASH_OK) { /* hash error */ diff --git a/src/filters/sfthd.h b/src/filters/sfthd.h index 07fdb3801..78b08791a 100644 --- a/src/filters/sfthd.h +++ b/src/filters/sfthd.h @@ -23,6 +23,7 @@ #ifndef SFTHD_H #define SFTHD_H +#include "framework/counts.h" #include "main/policy.h" #include "sfip/sf_ip.h" #include "utils/cpp_macros.h" @@ -208,6 +209,12 @@ struct ThresholdObjects PolicyId numPoliciesAllocated; }; +struct EventFilterStats +{ + PegCount xhash_nomem_peg_local = 0; + PegCount xhash_nomem_peg_global = 0; +}; + /* * Prototypes */ diff --git a/src/main/modules.cc b/src/main/modules.cc index 3abaa0886..fed81a21e 100644 --- a/src/main/modules.cc +++ b/src/main/modules.cc @@ -1555,6 +1555,14 @@ static const Parameter event_filter_params[] = #define event_filter_help \ "configure thresholding of events" +extern THREAD_LOCAL EventFilterStats event_filter_stats; // in sfthd.cc +const PegInfo event_filter_peg_names[] = +{ + { CountType::SUM, "no_memory_local", "number of times event filter ran out of local memory" }, + { CountType::SUM, "no_memory_global", "number of times event filter ran out of global memory" }, + { CountType::END, nullptr, nullptr } +}; + class EventFilterModule : public Module { public: @@ -1564,6 +1572,16 @@ public: bool begin(const char*, int, SnortConfig*) override; bool end(const char*, int, SnortConfig*) override; + const PegInfo* get_pegs() const override + { + return event_filter_peg_names; + } + + PegCount* get_counts() const override + { + return (PegCount*)&event_filter_stats; + } + Usage get_usage() const override { return CONTEXT; } @@ -1657,6 +1675,14 @@ static const Parameter rate_filter_params[] = #define rate_filter_help \ "configure rate filters (which change rule actions)" +extern THREAD_LOCAL RateFilterStats rate_filter_stats; +const PegInfo rate_filter_peg_names[] = +{ + { CountType::SUM, "no_memory", "number of times rate filter ran out of memory" }, + { CountType::END, nullptr, nullptr } +}; + + class RateFilterModule : public Module { public: @@ -1667,6 +1693,16 @@ public: bool begin(const char*, int, SnortConfig*) override; bool end(const char*, int, SnortConfig*) override; + const PegInfo* get_pegs() const override + { + return rate_filter_peg_names; + } + + PegCount* get_counts() const override + { + return (PegCount*)&rate_filter_stats; + } + Usage get_usage() const override { return DETECT; }