From: Jason Ish Date: Fri, 24 May 2024 21:57:08 +0000 (-0600) Subject: lua: add logging and counter for instruction limit being exceeded X-Git-Tag: suricata-8.0.0-beta1~1251 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5a1cba72f07cb48d5800a1a9aaca214227384686;p=thirdparty%2Fsuricata.git lua: add logging and counter for instruction limit being exceeded --- diff --git a/etc/schema.json b/etc/schema.json index 25bf6ad26f..7c0e9afcef 100644 --- a/etc/schema.json +++ b/etc/schema.json @@ -5244,6 +5244,10 @@ "description": "Counter for Lua scripts failing due to blocked functions being called", "type": "integer" }, + "instruction_limit_errors": { + "description": "Count of Lua rules exceeding the instruction limit", + "type": "integer" + }, "errors": { "description": "Errors encountered while running Lua scripts", "type": "integer" diff --git a/src/detect-engine.c b/src/detect-engine.c index 19effcbbae..b5b36703a3 100644 --- a/src/detect-engine.c +++ b/src/detect-engine.c @@ -3339,6 +3339,10 @@ TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data) det_ctx->lua_blocked_function_errors = StatsRegisterCounter("detect.lua.blocked_function_errors", tv); + /* Register a counter for Lua instruction limit errors. */ + det_ctx->lua_instruction_limit_errors = + StatsRegisterCounter("detect.lua.instruction_limit_errors", tv); + #ifdef PROFILING det_ctx->counter_mpm_list = StatsRegisterAvgCounter("detect.mpm_list", tv); det_ctx->counter_nonmpm_list = StatsRegisterAvgCounter("detect.nonmpm_list", tv); diff --git a/src/detect-lua.c b/src/detect-lua.c index 47cf142871..8f6907814e 100644 --- a/src/detect-lua.c +++ b/src/detect-lua.c @@ -124,6 +124,7 @@ void DetectLuaRegister(void) #define FLAG_DATATYPE_BUFFER BIT_U32(22) #define FLAG_ERROR_LOGGED BIT_U32(23) #define FLAG_BLOCKED_FUNCTION_LOGGED BIT_U32(24) +#define FLAG_INSTRUCTION_LIMIT_LOGGED BIT_U32(25) #define DEFAULT_LUA_ALLOC_LIMIT 500000 #define DEFAULT_LUA_INSTRUCTION_LIMIT 500000 @@ -181,6 +182,9 @@ static int DetectLuaRunMatch( if (context->blocked_function_error) { StatsIncr(det_ctx->tv, det_ctx->lua_blocked_function_errors); flag = FLAG_BLOCKED_FUNCTION_LOGGED; + } else if (context->instruction_count_error) { + StatsIncr(det_ctx->tv, det_ctx->lua_instruction_limit_errors); + flag = FLAG_INSTRUCTION_LIMIT_LOGGED; } else { flag = FLAG_ERROR_LOGGED; } diff --git a/src/detect.h b/src/detect.h index 6ce0ec8883..49570b7317 100644 --- a/src/detect.h +++ b/src/detect.h @@ -1242,6 +1242,9 @@ typedef struct DetectEngineThreadCtx_ { /** stats id for lua blocked function counts */ uint16_t lua_blocked_function_errors; + /** stats if for lua instruction limit errors */ + uint16_t lua_instruction_limit_errors; + #ifdef DEBUG uint64_t pkt_stream_add_cnt; uint64_t payload_mpm_cnt; diff --git a/src/util-lua-sandbox.c b/src/util-lua-sandbox.c index bd59dc95d0..c13fdaf5dd 100644 --- a/src/util-lua-sandbox.c +++ b/src/util-lua-sandbox.c @@ -346,8 +346,8 @@ static void HookFunc(lua_State *L, lua_Debug *ar) sb->instruction_count += sb->hook_instruction_count; if (sb->instruction_limit > 0 && sb->instruction_count > sb->instruction_limit) { - // TODO: do we care enough for a full traceback here? - luaL_error(L, "Instruction limit exceeded"); + sb->instruction_count_error = true; + luaL_error(L, "instruction limit exceeded"); } } @@ -359,6 +359,7 @@ void SCLuaSbResetInstructionCounter(lua_State *L) SCLuaSbState *sb = SCLuaSbGetContext(L); if (sb != NULL) { sb->blocked_function_error = false; + sb->instruction_count_error = false; sb->instruction_count = 0; lua_sethook(L, HookFunc, LUA_MASKCOUNT, sb->hook_instruction_count); } diff --git a/src/util-lua-sandbox.h b/src/util-lua-sandbox.h index 6551016738..f166049330 100644 --- a/src/util-lua-sandbox.h +++ b/src/util-lua-sandbox.h @@ -51,6 +51,7 @@ typedef struct SCLuaSbState { /* Errors. */ bool blocked_function_error; + bool instruction_count_error; } SCLuaSbState; /*