From: Lokesh Bevinamarad (lbevinam) Date: Tue, 5 Jan 2021 11:37:52 +0000 (+0000) Subject: Merge pull request #2683 in SNORT/snort3 from ~PSREENAT/snort3:http_bytes_telemetry... X-Git-Tag: 3.1.0.0~9 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2fbaa5842d9696d9836a53d086e6c0fed72604f9;p=thirdparty%2Fsnort3.git Merge pull request #2683 in SNORT/snort3 from ~PSREENAT/snort3:http_bytes_telemetry to master Squashed commit of the following: commit c52d4abbe0dc3a0256504ed7b66f6c22eba9af2b Author: Prajwal Srinivas Sreenath Date: Tue Dec 22 00:03:57 2020 -0500 http_inspect: added total_bytes peg to track HTTP data bytes inspected http2_inspect: added total_bytes peg to track HTTP/2 data bytes inspected --- diff --git a/src/service_inspectors/http2_inspect/http2_enum.h b/src/service_inspectors/http2_inspect/http2_enum.h index efce2e58b..64c5b8632 100644 --- a/src/service_inspectors/http2_inspect/http2_enum.h +++ b/src/service_inspectors/http2_inspect/http2_enum.h @@ -48,7 +48,8 @@ enum HTTP2_BUFFER { HTTP2_BUFFER_FRAME_HEADER = 1, HTTP2_BUFFER_FRAME_DATA, // Peg counts // This enum must remain synchronized with Http2Module::peg_names[] in http2_tables.cc enum PEG_COUNT { PEG_FLOW = 0, PEG_CONCURRENT_SESSIONS, PEG_MAX_CONCURRENT_SESSIONS, - PEG_MAX_TABLE_ENTRIES, PEG_MAX_CONCURRENT_FILES, PEG_COUNT__MAX }; + PEG_MAX_TABLE_ENTRIES, PEG_MAX_CONCURRENT_FILES, PEG_TOTAL_BYTES, + PEG_COUNT__MAX }; enum EventSid { diff --git a/src/service_inspectors/http2_inspect/http2_inspect.cc b/src/service_inspectors/http2_inspect/http2_inspect.cc index b812a80bb..088b92689 100644 --- a/src/service_inspectors/http2_inspect/http2_inspect.cc +++ b/src/service_inspectors/http2_inspect/http2_inspect.cc @@ -133,6 +133,9 @@ void Http2Inspect::eval(Packet* p) assert(stream); session_data->stream_in_hi = stream->get_stream_id(); + Http2Module::increment_peg_counts(PEG_TOTAL_BYTES, (uint64_t)(FRAME_HEADER_LENGTH) + + session_data->frame_data_size[source_id]); + uint8_t* const frame_header_copy = new uint8_t[FRAME_HEADER_LENGTH]; memcpy(frame_header_copy, session_data->lead_frame_header[source_id], FRAME_HEADER_LENGTH); stream->eval_frame(frame_header_copy, FRAME_HEADER_LENGTH, diff --git a/src/service_inspectors/http2_inspect/http2_module.h b/src/service_inspectors/http2_inspect/http2_module.h index c2095c64a..2003fcd20 100644 --- a/src/service_inspectors/http2_inspect/http2_module.h +++ b/src/service_inspectors/http2_inspect/http2_module.h @@ -66,6 +66,8 @@ public: PegCount* get_counts() const override { return peg_counts; } static void increment_peg_counts(Http2Enums::PEG_COUNT counter) { peg_counts[counter]++; } + static void increment_peg_counts(Http2Enums::PEG_COUNT counter, uint64_t value) + { peg_counts[counter] += value; } static void decrement_peg_counts(Http2Enums::PEG_COUNT counter) { peg_counts[counter]--; } static PegCount get_peg_counts(Http2Enums::PEG_COUNT counter) diff --git a/src/service_inspectors/http2_inspect/http2_tables.cc b/src/service_inspectors/http2_inspect/http2_tables.cc index 05265966b..5dfd7df6c 100644 --- a/src/service_inspectors/http2_inspect/http2_tables.cc +++ b/src/service_inspectors/http2_inspect/http2_tables.cc @@ -68,6 +68,7 @@ const PegInfo Http2Module::peg_names[PEG_COUNT__MAX+1] = { CountType::MAX, "max_table_entries", "maximum entries in an HTTP/2 dynamic table" }, { CountType::MAX, "max_concurrent_files", "maximum concurrent file transfers per HTTP/2 " "connection" }, + { CountType::SUM, "total_bytes", "total HTTP/2 data bytes inspected" }, { CountType::END, nullptr, nullptr } }; diff --git a/src/service_inspectors/http_inspect/http_enum.h b/src/service_inspectors/http_inspect/http_enum.h index a5cb91cee..8dbe56f7c 100755 --- a/src/service_inspectors/http_inspect/http_enum.h +++ b/src/service_inspectors/http_inspect/http_enum.h @@ -62,7 +62,7 @@ enum PEG_COUNT { PEG_FLOW = 0, PEG_SCAN, PEG_REASSEMBLE, PEG_INSPECT, PEG_REQUES PEG_OTHER_METHOD, PEG_REQUEST_BODY, PEG_CHUNKED, PEG_URI_NORM, PEG_URI_PATH, PEG_URI_CODING, PEG_CONCURRENT_SESSIONS, PEG_MAX_CONCURRENT_SESSIONS, PEG_DETAINED, PEG_SCRIPT_DETECTION, PEG_PARTIAL_INSPECT, PEG_EXCESS_PARAMS, PEG_PARAMS, PEG_CUTOVERS, PEG_SSL_SEARCH_ABND_EARLY, - PEG_PIPELINED_FLOWS, PEG_PIPELINED_REQUESTS, PEG_COUNT_MAX }; + PEG_PIPELINED_FLOWS, PEG_PIPELINED_REQUESTS, PEG_TOTAL_BYTES, PEG_COUNT_MAX }; // Result of scanning by splitter enum ScanResult { SCAN_NOT_FOUND, SCAN_NOT_FOUND_ACCELERATE, SCAN_FOUND, SCAN_FOUND_PIECE, diff --git a/src/service_inspectors/http_inspect/http_inspect.cc b/src/service_inspectors/http_inspect/http_inspect.cc index e384cc0f0..6f4cb339e 100755 --- a/src/service_inspectors/http_inspect/http_inspect.cc +++ b/src/service_inspectors/http_inspect/http_inspect.cc @@ -442,6 +442,9 @@ void HttpInspect::eval(Packet* p) HttpFlowData* session_data = http_get_flow_data(p->flow); + if (!session_data->for_http2) + HttpModule::increment_peg_counts(PEG_TOTAL_BYTES, p->dsize); + // FIXIT-E Workaround for unexpected eval() calls. Convert to asserts when possible. if ((session_data->section_type[source_id] == SEC__NOT_COMPUTE) || (session_data->type_expected[source_id] == SEC_ABORT) || diff --git a/src/service_inspectors/http_inspect/http_module.h b/src/service_inspectors/http_inspect/http_module.h index b20ea5cdb..b9698667c 100755 --- a/src/service_inspectors/http_inspect/http_module.h +++ b/src/service_inspectors/http_inspect/http_module.h @@ -129,6 +129,8 @@ public: PegCount* get_counts() const override { return peg_counts; } static void increment_peg_counts(HttpEnums::PEG_COUNT counter) { peg_counts[counter]++; } + static void increment_peg_counts(HttpEnums::PEG_COUNT counter, uint64_t value) + { peg_counts[counter] += value; } static void decrement_peg_counts(HttpEnums::PEG_COUNT counter) { peg_counts[counter]--; } static PegCount get_peg_counts(HttpEnums::PEG_COUNT counter) diff --git a/src/service_inspectors/http_inspect/http_tables.cc b/src/service_inspectors/http_inspect/http_tables.cc index 1ba2d16e1..4e45865fb 100755 --- a/src/service_inspectors/http_inspect/http_tables.cc +++ b/src/service_inspectors/http_inspect/http_tables.cc @@ -440,6 +440,7 @@ const PegInfo HttpModule::peg_names[PEG_COUNT_MAX+1] = { CountType::SUM, "ssl_srch_abandoned_early", "total SSL search abandoned too soon" }, { CountType::SUM, "pipelined_flows", "total HTTP connections containing pipelined requests" }, { CountType::SUM, "pipelined_requests", "total requests placed in a pipeline" }, + { CountType::SUM, "total_bytes", "total HTTP data bytes inspected" }, { CountType::END, nullptr, nullptr } };