From: Juliana Fajardini Date: Wed, 22 Mar 2023 15:04:58 +0000 (-0300) Subject: stream/tcp: add ssnmemcap exception policy counter X-Git-Tag: suricata-8.0.0-beta1~1509 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2dee3772bf60d6cc659a66eb1a9483539ac8b4f6;p=thirdparty%2Fsuricata.git stream/tcp: add ssnmemcap exception policy counter Add stats counters for exception policies applied in case a stream session memcap is hit. Task #5816 --- diff --git a/etc/schema.json b/etc/schema.json index 4c852ec9b3..41eae16303 100644 --- a/etc/schema.json +++ b/etc/schema.json @@ -5397,6 +5397,11 @@ "ssn_memcap_drop": { "type": "integer" }, + "ssn_memcap_exception_policy": { + "description": + "How many times session memcap exception policy was applied, and which one", + "$ref": "#/$defs/exceptionPolicy" + }, "stream_depth_reached": { "type": "integer" }, diff --git a/src/stream-tcp.c b/src/stream-tcp.c index b774231618..8efbd1c97c 100644 --- a/src/stream-tcp.c +++ b/src/stream-tcp.c @@ -90,6 +90,32 @@ #define STREAMTCP_DEFAULT_MAX_SYN_QUEUED 10 #define STREAMTCP_DEFAULT_MAX_SYNACK_QUEUED 5 +/* Settings order as in the enum */ +// clang-format off +ExceptionPolicyStatsSetts stream_memcap_eps_stats = { + .valid_settings_ids = { + /* EXCEPTION_POLICY_NOT_SET */ false, + /* EXCEPTION_POLICY_AUTO */ false, + /* EXCEPTION_POLICY_PASS_PACKET */ true, + /* EXCEPTION_POLICY_PASS_FLOW */ true, + /* EXCEPTION_POLICY_BYPASS_FLOW */ true, + /* EXCEPTION_POLICY_DROP_PACKET */ false, + /* EXCEPTION_POLICY_DROP_FLOW */ false, + /* EXCEPTION_POLICY_REJECT */ true, + }, + .valid_settings_ips = { + /* EXCEPTION_POLICY_NOT_SET */ false, + /* EXCEPTION_POLICY_AUTO */ false, + /* EXCEPTION_POLICY_PASS_PACKET */ true, + /* EXCEPTION_POLICY_PASS_FLOW */ true, + /* EXCEPTION_POLICY_BYPASS_FLOW */ true, + /* EXCEPTION_POLICY_DROP_PACKET */ true, + /* EXCEPTION_POLICY_DROP_FLOW */ true, + /* EXCEPTION_POLICY_REJECT */ true, + }, +}; +// clang-format on + static int StreamTcpHandleFin(ThreadVars *tv, StreamTcpThread *, TcpSession *, Packet *); void StreamTcpReturnStreamSegments (TcpStream *); void StreamTcpInitConfig(bool); @@ -702,6 +728,23 @@ void StreamTcpFreeConfig(bool quiet) SCLogDebug("ssn_pool_cnt %"PRIu64"", ssn_pool_cnt); } +static bool IsStreamTcpSessionMemcapExceptionPolicyStatsValid(enum ExceptionPolicy policy) +{ + if (EngineModeIsIPS()) { + return stream_memcap_eps_stats.valid_settings_ips[policy]; + } + return stream_memcap_eps_stats.valid_settings_ids[policy]; +} + +static void StreamTcpSsnMemcapExceptionPolicyStatsIncr( + ThreadVars *tv, StreamTcpThread *stt, enum ExceptionPolicy policy) +{ + const uint16_t id = stt->counter_tcp_ssn_memcap_eps.eps_id[policy]; + if (likely(tv && id > 0)) { + StatsIncr(tv, id); + } +} + /** \internal * \brief The function is used to fetch a TCP session from the * ssn_pool, when a TCP SYN is received. @@ -741,6 +784,7 @@ static TcpSession *StreamTcpNewSession(ThreadVars *tv, StreamTcpThread *stt, Pac g_eps_stream_ssn_memcap == t_pcapcnt))) { SCLogNotice("simulating memcap reached condition for packet %" PRIu64, t_pcapcnt); ExceptionPolicyApply(p, stream_config.ssn_memcap_policy, PKT_DROP_REASON_STREAM_MEMCAP); + StreamTcpSsnMemcapExceptionPolicyStatsIncr(tv, stt, stream_config.ssn_memcap_policy); return NULL; } #endif @@ -748,6 +792,7 @@ static TcpSession *StreamTcpNewSession(ThreadVars *tv, StreamTcpThread *stt, Pac if (ssn == NULL) { SCLogDebug("ssn_pool is empty"); ExceptionPolicyApply(p, stream_config.ssn_memcap_policy, PKT_DROP_REASON_STREAM_MEMCAP); + StreamTcpSsnMemcapExceptionPolicyStatsIncr(tv, stt, stream_config.ssn_memcap_policy); return NULL; } @@ -5763,6 +5808,10 @@ TmEcode StreamTcpThreadInit(ThreadVars *tv, void *initdata, void **data) stt->counter_tcp_ssn_memcap = StatsRegisterCounter("tcp.ssn_memcap_drop", tv); stt->counter_tcp_ssn_from_cache = StatsRegisterCounter("tcp.ssn_from_cache", tv); stt->counter_tcp_ssn_from_pool = StatsRegisterCounter("tcp.ssn_from_pool", tv); + ExceptionPolicySetStatsCounters(tv, &stt->counter_tcp_ssn_memcap_eps, &stream_memcap_eps_stats, + stream_config.ssn_memcap_policy, "tcp.ssn_memcap_exception_policy.", + IsStreamTcpSessionMemcapExceptionPolicyStatsValid); + stt->counter_tcp_pseudo = StatsRegisterCounter("tcp.pseudo", tv); stt->counter_tcp_pseudo_failed = StatsRegisterCounter("tcp.pseudo_failed", tv); stt->counter_tcp_invalid_checksum = StatsRegisterCounter("tcp.invalid_checksum", tv); diff --git a/src/stream-tcp.h b/src/stream-tcp.h index 42e76a7a00..8bdb4f7a3a 100644 --- a/src/stream-tcp.h +++ b/src/stream-tcp.h @@ -1,4 +1,4 @@ -/* Copyright (C) 2007-2022 Open Information Security Foundation +/* Copyright (C) 2007-2024 Open Information Security Foundation * * You can copy, redistribute or modify this Program under the terms of * the GNU General Public License version 2 as published by the Free @@ -30,6 +30,7 @@ #include "stream.h" #include "stream-tcp-reassemble.h" #include "suricata.h" +#include "util-exception-policy-types.h" #define STREAM_VERBOSE false /* Flag to indicate that the checksum validation for the stream engine @@ -85,6 +86,8 @@ typedef struct StreamTcpThread_ { uint16_t counter_tcp_ssn_memcap; uint16_t counter_tcp_ssn_from_cache; uint16_t counter_tcp_ssn_from_pool; + /** exception policy */ + ExceptionPolicyCounters counter_tcp_ssn_memcap_eps; /** pseudo packets processed */ uint16_t counter_tcp_pseudo; /** pseudo packets failed to setup */