From: Oleksii Shumeiko -X (oshumeik - SOFTSERVE INC at Cisco) Date: Wed, 13 Jul 2022 11:47:35 +0000 (+0000) Subject: Pull request #3495: Fix clearing peg counters on sum_stats X-Git-Tag: 3.1.36.0~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=71298ec86fe6e70ab4189940c8e2bc85d3f0708c;p=thirdparty%2Fsnort3.git Pull request #3495: Fix clearing peg counters on sum_stats Merge in SNORT/snort3 from ~VHORBATO/snort3:peg_count_sum to master Squashed commit of the following: commit 897cb567559ca5739e307e6531a411d68c6b831d Author: Vitalii Date: Fri Jul 1 16:54:30 2022 +0300 normalizer: make normalizer and tcp_normalizer peg counts shared commit 99ebc98d1fb649acfa052da5cf03126a4746f670 Author: Vitalii Date: Fri Jul 1 16:50:06 2022 +0300 stream: fix stats cleanup commit ce477b1c3ccc00d4d293a6e79fd15475bed7308e Author: Vitalii Date: Fri Jul 1 16:49:36 2022 +0300 dce_smb: fix stats cleanup commit 7d1e38d5a94bff506237a06fa7626c113cf5ba50 Author: Vitalii Date: Thu Jun 30 20:06:00 2022 +0300 appid: fix stats cleanup commit e0bd6f142fa2ee9e81dc8038eb4a88d5c104c357 Author: Vitalii Date: Thu Jun 30 20:05:43 2022 +0300 file_api: fix stats cleanup --- diff --git a/src/file_api/file_stats.cc b/src/file_api/file_stats.cc index 4bae25a11..4209b92a4 100644 --- a/src/file_api/file_stats.cc +++ b/src/file_api/file_stats.cc @@ -60,12 +60,13 @@ void file_stats_sum() unsigned num = sizeof(file_totals) / sizeof(PegCount); - for ( unsigned i = 0; i < num; ++i ) - { - PegCount* t = (PegCount*)&file_totals; - PegCount* s = (PegCount*)file_stats; + PegCount* t = (PegCount*)&file_totals; + PegCount* s = (PegCount*)file_stats; + + for (unsigned i = 0; i < num; ++i) t[i] += s[i]; - } + + memset(file_stats, 0, sizeof(*file_stats)); } void file_stats_clear() @@ -89,10 +90,7 @@ void file_stats_print() } if ( !check_total ) - { - memset(&file_totals,0,sizeof(file_totals)); return; - } LogLabel("File Statistics"); LogLabel("file type stats (files)"); @@ -160,7 +158,6 @@ void file_stats_print() if ( !check_total ) { - memset(&file_totals,0,sizeof(file_totals)); return; } @@ -298,6 +295,5 @@ void file_stats_print() #endif // these are global / shared by all threads FileCapture::print_mem_usage(); - memset(&file_totals,0,sizeof(file_totals)); } diff --git a/src/network_inspectors/appid/appid_peg_counts.cc b/src/network_inspectors/appid/appid_peg_counts.cc index 9413a871d..20345fd64 100644 --- a/src/network_inspectors/appid/appid_peg_counts.cc +++ b/src/network_inspectors/appid/appid_peg_counts.cc @@ -62,7 +62,7 @@ void AppIdPegCounts::cleanup_peg_info() void AppIdPegCounts::cleanup_dynamic_sum() { - for ( unsigned app_num = 0; app_num < AppIdPegCounts::appid_detectors_info.size(); app_num++ ) + for (unsigned app_num = 0; app_num < AppIdPegCounts::appid_detectors_info.size(); app_num++) { memset(appid_dynamic_sum[app_num].stats, 0, sizeof(PegCount) * DetectorPegs::NUM_APPID_DETECTOR_PEGS); @@ -97,17 +97,20 @@ void AppIdPegCounts::sum_stats() { std::lock_guard _lock(r_mutex); const unsigned peg_num = appid_peg_counts->size() ? (appid_peg_counts->size() - 1) : 0; - const AppIdDynamicPeg* ptr = (AppIdDynamicPeg*)appid_peg_counts->data(); + AppIdDynamicPeg* ptr = (AppIdDynamicPeg*)appid_peg_counts->data(); - for ( unsigned i = 0; i < peg_num; ++i ) + for (unsigned i = 0; i < peg_num; ++i) { for (unsigned j = 0; j < DetectorPegs::NUM_APPID_DETECTOR_PEGS; ++j) appid_dynamic_sum[i].stats[j] += ptr[i].stats[j]; + + ptr[i].zero_out(); } // unknown_app stats for (unsigned j = 0; j < DetectorPegs::NUM_APPID_DETECTOR_PEGS; ++j) appid_dynamic_sum[SF_APPID_MAX].stats[j] += ptr[peg_num].stats[j]; + ptr[peg_num].zero_out(); } } diff --git a/src/network_inspectors/appid/appid_peg_counts.h b/src/network_inspectors/appid/appid_peg_counts.h index 1aa1fc37a..473f5343e 100644 --- a/src/network_inspectors/appid/appid_peg_counts.h +++ b/src/network_inspectors/appid/appid_peg_counts.h @@ -81,6 +81,11 @@ public: return !memcmp(stats, &all_zeroed_peg, sizeof(stats)); } + void zero_out() + { + memcpy(stats, &all_zeroed_peg, sizeof(stats)); + } + void print(const char* app, char* buf, int buf_size) { snprintf(buf, buf_size, "%25.25s: " FMTu64("-10") " " FMTu64("-10") " " FMTu64("-10") diff --git a/src/network_inspectors/normalize/CMakeLists.txt b/src/network_inspectors/normalize/CMakeLists.txt index 6f2661a0e..bf9b5ba28 100644 --- a/src/network_inspectors/normalize/CMakeLists.txt +++ b/src/network_inspectors/normalize/CMakeLists.txt @@ -1,5 +1,7 @@ add_library( normalize OBJECT + norm_stats.cc + norm_stats.h normalize.cc normalize.h norm_module.cc diff --git a/src/network_inspectors/normalize/norm.cc b/src/network_inspectors/normalize/norm.cc index 3a2100ef6..de5d32061 100644 --- a/src/network_inspectors/normalize/norm.cc +++ b/src/network_inspectors/normalize/norm.cc @@ -22,6 +22,7 @@ #endif #include "norm.h" +#include "norm_stats.h" #include "detection/ips_context.h" #include "main/snort_config.h" @@ -35,61 +36,6 @@ using namespace snort; -enum PegCounts -{ - PC_IP4_TRIM, - PC_IP4_TOS, - PC_IP4_DF, - PC_IP4_RF, - PC_IP4_TTL, - PC_IP4_OPTS, - PC_ICMP4_ECHO, - PC_IP6_TTL, - PC_IP6_OPTS, - PC_ICMP6_ECHO, - PC_TCP_SYN_OPT, - PC_TCP_OPT, - PC_TCP_PAD, - PC_TCP_RSV, - PC_TCP_NS, - PC_TCP_URP, - PC_TCP_ECN_PKT, - PC_TCP_TS_ECR, - PC_TCP_REQ_URG, - PC_TCP_REQ_PAY, - PC_TCP_REQ_URP, - PC_MAX -}; - -const PegInfo norm_names[] = -{ - { CountType::SUM, "ip4_trim", "eth packets trimmed to datagram size" }, - { CountType::SUM, "ip4_tos", "type of service normalizations" }, - { CountType::SUM, "ip4_df", "don't frag bit normalizations" }, - { CountType::SUM, "ip4_rf", "reserved flag bit clears" }, - { CountType::SUM, "ip4_ttl", "time-to-live normalizations" }, - { CountType::SUM, "ip4_opts", "ip4 options cleared" }, - { CountType::SUM, "icmp4_echo", "icmp4 ping normalizations" }, - { CountType::SUM, "ip6_hops", "ip6 hop limit normalizations" }, - { CountType::SUM, "ip6_options", "ip6 options cleared" }, - { CountType::SUM, "icmp6_echo", "icmp6 echo normalizations" }, - { CountType::SUM, "tcp_syn_options", "SYN only options cleared from non-SYN packets" }, - { CountType::SUM, "tcp_options", "packets with options cleared" }, - { CountType::SUM, "tcp_padding", "packets with padding cleared" }, - { CountType::SUM, "tcp_reserved", "packets with reserved bits cleared" }, - { CountType::SUM, "tcp_nonce", "packets with nonce bit cleared" }, - { CountType::SUM, "tcp_urgent_ptr", "packets without data with urgent pointer cleared" }, - { CountType::SUM, "tcp_ecn_pkt", "packets with ECN bits cleared" }, - { CountType::SUM, "tcp_ts_ecr", "timestamp cleared on non-ACKs" }, - { CountType::SUM, "tcp_req_urg", "cleared urgent pointer when urgent flag is not set" }, - { CountType::SUM, "tcp_req_pay", - "cleared urgent pointer and urgent flag when there is no payload" }, - { CountType::SUM, "tcp_req_urp", "cleared the urgent flag if the urgent pointer is not set" }, - { CountType::END, nullptr, nullptr } -}; - -static THREAD_LOCAL PegCount normStats[PC_MAX+PC_TCP_MAX][NORM_MODE_MAX]; - //static int Norm_Eth(Packet*, uint8_t layer, int changes); static int Norm_IP4(NormalizerConfig*, Packet*, uint8_t layer, int changes); static int Norm_ICMP4(NormalizerConfig*, Packet*, uint8_t layer, int changes); @@ -197,7 +143,7 @@ static int Norm_IP4( p->packet_flags |= PKT_RESIZED; changes++; } - normStats[PC_IP4_TRIM][mode]++; + norm_stats[PC_IP4_TRIM][mode]++; } } if ( Norm_IsEnabled(c, NORM_IP4_TOS) ) @@ -209,7 +155,7 @@ static int Norm_IP4( h->ip_tos = 0; changes++; } - normStats[PC_IP4_TOS][mode]++; + norm_stats[PC_IP4_TOS][mode]++; } } #if 0 @@ -227,7 +173,7 @@ static int Norm_IP4( fragbits &= ~IP4_FLAG_DF; changes++; } - normStats[PC_IP4_DF][mode]++; + norm_stats[PC_IP4_DF][mode]++; } } if ( Norm_IsEnabled(c, NORM_IP4_RF) ) @@ -239,7 +185,7 @@ static int Norm_IP4( fragbits &= ~IP4_FLAG_RF; changes++; } - normStats[PC_IP4_RF][mode]++; + norm_stats[PC_IP4_RF][mode]++; } } if ( fragbits != origbits ) @@ -256,7 +202,7 @@ static int Norm_IP4( p->ptrs.decode_flags &= ~DECODE_ERR_BAD_TTL; changes++; } - normStats[PC_IP4_TTL][mode]++; + norm_stats[PC_IP4_TTL][mode]++; } } if ( p->layers[layer].length > ip::IP4_HEADER_LEN ) @@ -269,7 +215,7 @@ static int Norm_IP4( memset(opts, static_cast(ip::IPOptionCodes::NOP), len); changes++; } - normStats[PC_IP4_OPTS][mode]++; + norm_stats[PC_IP4_OPTS][mode]++; } return changes; } @@ -290,7 +236,7 @@ static int Norm_ICMP4( h->code = icmp::IcmpCode::ECHO_CODE; changes++; } - normStats[PC_ICMP4_ECHO][mode]++; + norm_stats[PC_ICMP4_ECHO][mode]++; } return changes; } @@ -315,7 +261,7 @@ static int Norm_IP6( p->ptrs.decode_flags &= ~DECODE_ERR_BAD_TTL; changes++; } - normStats[PC_IP6_TTL][mode]++; + norm_stats[PC_IP6_TTL][mode]++; } } return changes; @@ -339,7 +285,7 @@ static int Norm_ICMP6( h->code = static_cast(0); changes++; } - normStats[PC_ICMP6_ECHO][mode]++; + norm_stats[PC_ICMP6_ECHO][mode]++; } return changes; } @@ -375,7 +321,7 @@ static int Norm_IP6_Opts( changes++; } - normStats[PC_IP6_OPTS][mode]++; + norm_stats[PC_IP6_OPTS][mode]++; return changes; } @@ -430,7 +376,7 @@ static inline int Norm_TCPOptions(NormalizerConfig* config, const NormMode mode, NopDaOpt(opts+i, olen); changes++; } - normStats[PC_TCP_SYN_OPT][mode]++; + norm_stats[PC_TCP_SYN_OPT][mode]++; } break; @@ -445,7 +391,7 @@ static inline int Norm_TCPOptions(NormalizerConfig* config, const NormMode mode, memset(opts+i+TS_ECR_OFFSET, 0, TS_ECR_LENGTH); changes++; } - normStats[PC_TCP_TS_ECR][mode]++; + norm_stats[PC_TCP_TS_ECR][mode]++; } break; @@ -457,7 +403,7 @@ static inline int Norm_TCPOptions(NormalizerConfig* config, const NormMode mode, NopDaOpt(opts+i, olen); changes++; } - normStats[PC_TCP_OPT][mode]++; + norm_stats[PC_TCP_OPT][mode]++; } } i += olen; @@ -469,7 +415,7 @@ static inline int Norm_TCPOptions(NormalizerConfig* config, const NormMode mode, memset(opts+i, 0, len-i); changes++; } - normStats[PC_TCP_PAD][mode]++; + norm_stats[PC_TCP_PAD][mode]++; } return changes; } @@ -492,7 +438,7 @@ static inline int Norm_TCPPadding(NormalizerConfig*, const NormMode mode, memset(opts+i, 0, len-i); changes++; } - normStats[PC_TCP_PAD][mode]++; + norm_stats[PC_TCP_PAD][mode]++; } return changes; } @@ -512,7 +458,7 @@ static int Norm_TCP( h->th_offx2 &= ~TH_RSV; changes++; } - normStats[PC_TCP_RSV][mode]++; + norm_stats[PC_TCP_RSV][mode]++; } } if ( Norm_IsEnabled(c, NORM_TCP_ECN_PKT) ) @@ -524,7 +470,7 @@ static int Norm_TCP( h->th_flags &= ~(TH_CWR|TH_ECE); changes++; } - normStats[PC_TCP_ECN_PKT][mode]++; + norm_stats[PC_TCP_ECN_PKT][mode]++; } if ( h->th_offx2 & TH_NS ) { @@ -533,7 +479,7 @@ static int Norm_TCP( h->th_offx2 &= ~TH_NS; changes++; } - normStats[PC_TCP_NS][mode]++; + norm_stats[PC_TCP_NS][mode]++; } } if ( h->th_urp ) @@ -547,7 +493,7 @@ static int Norm_TCP( h->th_urp = 0; changes++; } - normStats[PC_TCP_REQ_URG][mode]++; + norm_stats[PC_TCP_REQ_URG][mode]++; } } else if ( !p->dsize ) @@ -560,7 +506,7 @@ static int Norm_TCP( h->th_urp = 0; changes++; } - normStats[PC_TCP_REQ_PAY][mode]++; + norm_stats[PC_TCP_REQ_PAY][mode]++; } } else if ( h->urp() > p->dsize ) @@ -572,7 +518,7 @@ static int Norm_TCP( h->set_urp(p->dsize); changes++; } - normStats[PC_TCP_URP][mode]++; + norm_stats[PC_TCP_URP][mode]++; } } } @@ -585,7 +531,7 @@ static int Norm_TCP( h->th_flags &= ~TH_URG; changes++; } - normStats[PC_TCP_REQ_URP][mode]++; + norm_stats[PC_TCP_REQ_URP][mode]++; } } @@ -614,17 +560,6 @@ static int Norm_TCP( //----------------------------------------------------------------------- -const PegInfo* Norm_GetPegs() -{ return norm_names; } - -NormPegs Norm_GetCounts(unsigned& c) -{ - c = PC_MAX; - return normStats; -} - -//----------------------------------------------------------------------- - int Norm_SetConfig(NormalizerConfig* nc) { if ( !nc->normalizer_flags ) diff --git a/src/network_inspectors/normalize/norm.h b/src/network_inspectors/normalize/norm.h index 766399d22..a9a6957be 100644 --- a/src/network_inspectors/normalize/norm.h +++ b/src/network_inspectors/normalize/norm.h @@ -34,8 +34,6 @@ struct Packet; typedef int (* NormalFunc)( // FIXIT-L why is this exposed? struct NormalizerConfig*, snort::Packet*, uint8_t layer, int changes); -extern const PegInfo norm_names[]; - struct NormalizerConfig { uint32_t normalizer_flags; @@ -90,8 +88,5 @@ inline bool Norm_TcpIsOptional(const NormalizerConfig* nc, uint8_t opt) return nc->normalizer_options[byte] & bit; } -const PegInfo* Norm_GetPegs(); -NormPegs Norm_GetCounts(unsigned&); - #endif diff --git a/src/network_inspectors/normalize/norm_module.cc b/src/network_inspectors/normalize/norm_module.cc index fd37a7f8a..a9ff2b04a 100644 --- a/src/network_inspectors/normalize/norm_module.cc +++ b/src/network_inspectors/normalize/norm_module.cc @@ -22,6 +22,7 @@ #endif #include "norm_module.h" +#include "norm_stats.h" #include "main/policy.h" #include "stream/tcp/tcp_normalizer.h" @@ -364,7 +365,7 @@ const PegInfo* NormalizeModule::get_pegs() const if ( !test_pegs.empty() ) return &test_pegs[0]; - const PegInfo* p = Norm_GetPegs(); + const PegInfo* p = &norm_names[0]; assert(p); while ( p->name ) @@ -373,35 +374,10 @@ const PegInfo* NormalizeModule::get_pegs() const test_pegs.emplace_back(*p); p++; } - - p = TcpNormalizer::get_normalization_pegs(); - assert(p); - - while ( p->name ) - { - add_test_peg(*p); - test_pegs.emplace_back(*p); - p++; - } - test_pegs.emplace_back(*p); + return &test_pegs[0]; } PegCount* NormalizeModule::get_counts() const -{ - unsigned c = 0; - NormPegs p = Norm_GetCounts(c); - - unsigned tc = 0; - NormPegs tp = TcpNormalizer::get_normalization_counts(tc); - - for ( unsigned i = 0; i < tc; ++i ) - { - p[c+i][NORM_MODE_ON] = tp[i][NORM_MODE_ON]; - p[c+i][NORM_MODE_TEST] = tp[i][NORM_MODE_TEST]; - } - - return (PegCount*)p; -} - +{ return (PegCount*)norm_stats; } diff --git a/src/network_inspectors/normalize/norm_stats.cc b/src/network_inspectors/normalize/norm_stats.cc new file mode 100644 index 000000000..54dc179ca --- /dev/null +++ b/src/network_inspectors/normalize/norm_stats.cc @@ -0,0 +1,65 @@ +//-------------------------------------------------------------------------- +// Copyright (C) 2014-2022 Cisco and/or its affiliates. All rights reserved. +// Copyright (C) 2010-2013 Sourcefire, Inc. +// +// This program is free software; you can redistribute it and/or modify it +// under the terms of the GNU General Public License Version 2 as published +// by the Free Software Foundation. You may not use, modify or distribute +// this program under any other version of the GNU General Public License. +// +// This program is distributed in the hope that it will be useful, but +// WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +// General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +//-------------------------------------------------------------------------- +// norm_stats.cc author cisco.com + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "norm_stats.h" + +const PegInfo norm_names[] = +{ + { CountType::SUM, "ip4_trim", "eth packets trimmed to datagram size" }, + { CountType::SUM, "ip4_tos", "type of service normalizations" }, + { CountType::SUM, "ip4_df", "don't frag bit normalizations" }, + { CountType::SUM, "ip4_rf", "reserved flag bit clears" }, + { CountType::SUM, "ip4_ttl", "time-to-live normalizations" }, + { CountType::SUM, "ip4_opts", "ip4 options cleared" }, + { CountType::SUM, "icmp4_echo", "icmp4 ping normalizations" }, + { CountType::SUM, "ip6_hops", "ip6 hop limit normalizations" }, + { CountType::SUM, "ip6_options", "ip6 options cleared" }, + { CountType::SUM, "icmp6_echo", "icmp6 echo normalizations" }, + { CountType::SUM, "tcp_syn_options", "SYN only options cleared from non-SYN packets" }, + { CountType::SUM, "tcp_options", "packets with options cleared" }, + { CountType::SUM, "tcp_padding", "packets with padding cleared" }, + { CountType::SUM, "tcp_reserved", "packets with reserved bits cleared" }, + { CountType::SUM, "tcp_nonce", "packets with nonce bit cleared" }, + { CountType::SUM, "tcp_urgent_ptr", "packets without data with urgent pointer cleared" }, + { CountType::SUM, "tcp_ecn_pkt", "packets with ECN bits cleared" }, + { CountType::SUM, "tcp_ts_ecr", "timestamp cleared on non-ACKs" }, + { CountType::SUM, "tcp_req_urg", "cleared urgent pointer when urgent flag is not set" }, + { CountType::SUM, "tcp_req_pay", + "cleared urgent pointer and urgent flag when there is no payload" }, + { CountType::SUM, "tcp_req_urp", "cleared the urgent flag if the urgent pointer is not set" }, + + // These peg counts are shared with stream_tcp + { CountType::SUM, "tcp_trim_syn", "tcp segments trimmed on SYN" }, + { CountType::SUM, "tcp_trim_rst", "RST packets with data trimmed" }, + { CountType::SUM, "tcp_trim_win", "data trimmed to window" }, + { CountType::SUM, "tcp_trim_mss", "data trimmed to MSS" }, + { CountType::SUM, "tcp_ecn_session", "ECN bits cleared" }, + { CountType::SUM, "tcp_ts_nop", "timestamp options cleared" }, + { CountType::SUM, "tcp_ips_data", "normalized segments" }, + { CountType::SUM, "tcp_block", "blocked segments" }, + + { CountType::END, nullptr, nullptr } +}; + +THREAD_LOCAL PegCount norm_stats[PC_MAX][NORM_MODE_MAX]; diff --git a/src/network_inspectors/normalize/norm_stats.h b/src/network_inspectors/normalize/norm_stats.h new file mode 100644 index 000000000..ecacdba79 --- /dev/null +++ b/src/network_inspectors/normalize/norm_stats.h @@ -0,0 +1,71 @@ +//-------------------------------------------------------------------------- +// Copyright (C) 2014-2022 Cisco and/or its affiliates. All rights reserved. +// Copyright (C) 2010-2013 Sourcefire, Inc. +// +// This program is free software; you can redistribute it and/or modify it +// under the terms of the GNU General Public License Version 2 as published +// by the Free Software Foundation. You may not use, modify or distribute +// this program under any other version of the GNU General Public License. +// +// This program is distributed in the hope that it will be useful, but +// WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +// General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +//-------------------------------------------------------------------------- +// norm_stats.h author cisco.com + +#ifndef NORM_STATS_H +#define NORM_STATS_H + +#include "framework/counts.h" +#include "main/thread.h" + +#include "normalize.h" + +enum PegCounts +{ + PC_IP4_TRIM, + PC_IP4_TOS, + PC_IP4_DF, + PC_IP4_RF, + PC_IP4_TTL, + PC_IP4_OPTS, + PC_ICMP4_ECHO, + PC_IP6_TTL, + PC_IP6_OPTS, + PC_ICMP6_ECHO, + PC_TCP_SYN_OPT, + PC_TCP_OPT, + PC_TCP_PAD, + PC_TCP_RSV, + PC_TCP_NS, + PC_TCP_URP, + PC_TCP_ECN_PKT, + PC_TCP_TS_ECR, + PC_TCP_REQ_URG, + PC_TCP_REQ_PAY, + PC_TCP_REQ_URP, + + // These peg counts are shared with stream_tcp + PC_TCP_TRIM_SYN, + PC_TCP_TRIM_RST, + PC_TCP_TRIM_WIN, + PC_TCP_TRIM_MSS, + PC_TCP_ECN_SSN, + PC_TCP_TS_NOP, + PC_TCP_IPS_DATA, + PC_TCP_BLOCK, + + PC_MAX +}; + +#define TCP_PEGS_START PC_TCP_TRIM_SYN + +extern THREAD_LOCAL PegCount norm_stats[PC_MAX][NORM_MODE_MAX]; +extern const PegInfo norm_names[]; + +#endif diff --git a/src/network_inspectors/normalize/normalize.h b/src/network_inspectors/normalize/normalize.h index 89bda7b0b..b042343ad 100644 --- a/src/network_inspectors/normalize/normalize.h +++ b/src/network_inspectors/normalize/normalize.h @@ -20,8 +20,6 @@ #ifndef NORMALIZE_H #define NORMALIZE_H -#include "framework/counts.h" - // these control protocol specific normalizations enum NormFlags { @@ -59,15 +57,13 @@ enum NormFlags NORM_ALL = 0xFFFFFFFF, // all normalizations on }; -enum NormMode : int8_t +enum NormMode { NORM_MODE_TEST, NORM_MODE_ON, NORM_MODE_MAX }; -typedef PegCount (* NormPegs)[NORM_MODE_MAX]; - bool Normalize_IsEnabled(NormFlags); NormMode Normalize_GetMode(NormFlags); diff --git a/src/service_inspectors/dce_rpc/dce_smb_module.cc b/src/service_inspectors/dce_rpc/dce_smb_module.cc index 703390154..54801f26a 100644 --- a/src/service_inspectors/dce_rpc/dce_smb_module.cc +++ b/src/service_inspectors/dce_rpc/dce_smb_module.cc @@ -81,7 +81,7 @@ static const PegInfo dce2_smb_pegs[] = { CountType::SUM, "ignored_bytes", "total ignored bytes" }, { CountType::SUM, "smb_client_segs_reassembled", "total smb client segments reassembled" }, { CountType::SUM, "smb_server_segs_reassembled", "total smb server segments reassembled" }, - { CountType::SUM, "max_outstanding_requests", "total smb maximum outstanding requests" }, + { CountType::MAX, "max_outstanding_requests", "maximum outstanding requests" }, { CountType::SUM, "files_processed", "total smb files processed" }, { CountType::SUM, "v2_setup", "total number of SMBv2 setup packets seen" }, { CountType::SUM, "v2_setup_err_resp", diff --git a/src/stream/base/stream_base.cc b/src/stream/base/stream_base.cc index 6452ba7b6..b88468b30 100644 --- a/src/stream/base/stream_base.cc +++ b/src/stream/base/stream_base.cc @@ -51,6 +51,9 @@ THREAD_LOCAL FlowControl* flow_con = nullptr; static BaseStats g_stats; THREAD_LOCAL BaseStats stream_base_stats; +THREAD_LOCAL PegCount current_flows_prev; +THREAD_LOCAL PegCount uni_flows_prev; +THREAD_LOCAL PegCount uni_ip_flows_prev; // FIXIT-L dependency on stats define in another file const PegInfo base_pegs[] = @@ -75,12 +78,16 @@ const PegInfo base_pegs[] = { CountType::SUM, "reload_allowed_deletes", "number of allowed flows deleted by config reloads" }, { CountType::SUM, "reload_blocked_deletes", "number of blocked flows deleted by config reloads" }, { CountType::SUM, "reload_offloaded_deletes", "number of offloaded flows deleted by config reloads" }, + + // Keep the NOW stats at the bottom as it requires special sum_stats logic { CountType::NOW, "current_flows", "current number of flows in cache" }, { CountType::NOW, "uni_flows", "number of uni flows in cache" }, { CountType::NOW, "uni_ip_flows", "number of uni ip flows in cache" }, { CountType::END, nullptr, nullptr } }; +#define NOW_PEGS_NUM 3 + // FIXIT-L dependency on stats define in another file void base_prep() { @@ -99,9 +106,11 @@ void base_prep() stream_base_stats.reload_allowed_flow_deletes = flow_con->get_deletes(FlowDeleteState::ALLOWED); stream_base_stats.reload_offloaded_flow_deletes= flow_con->get_deletes(FlowDeleteState::OFFLOADED); stream_base_stats.reload_blocked_flow_deletes= flow_con->get_deletes(FlowDeleteState::BLOCKED); + stream_base_stats.current_flows = flow_con->get_num_flows(); stream_base_stats.uni_flows = flow_con->get_uni_flows(); stream_base_stats.uni_ip_flows = flow_con->get_uni_ip_flows(); + ExpectCache* exp_cache = flow_con->get_exp_cache(); if ( exp_cache ) @@ -116,7 +125,12 @@ void base_prep() void base_sum() { sum_stats((PegCount*)&g_stats, (PegCount*)&stream_base_stats, - array_size(base_pegs) - 1); + array_size(base_pegs) - 1 - NOW_PEGS_NUM); + + g_stats.current_flows += (int64_t)stream_base_stats.current_flows - (int64_t)current_flows_prev; + g_stats.uni_flows += (int64_t)stream_base_stats.uni_flows - (int64_t)uni_flows_prev; + g_stats.uni_ip_flows += (int64_t)stream_base_stats.uni_ip_flows - (int64_t)uni_ip_flows_prev; + base_reset(false); } @@ -127,21 +141,22 @@ void base_stats() void base_reset(bool reset_all) { - if ( flow_con ) - flow_con->clear_counts(); + current_flows_prev = stream_base_stats.current_flows; + uni_flows_prev = stream_base_stats.uni_flows; + uni_ip_flows_prev = stream_base_stats.uni_ip_flows; memset(&stream_base_stats, 0, sizeof(stream_base_stats)); - if ( reset_all ) + if ( flow_con ) { - if ( flow_con ) - { - ExpectCache* exp_cache = flow_con->get_exp_cache(); - if ( exp_cache ) - exp_cache->reset_stats(); - } - memset(&g_stats, 0, sizeof(g_stats)); + flow_con->clear_counts(); + ExpectCache* exp_cache = flow_con->get_exp_cache(); + if ( exp_cache ) + exp_cache->reset_stats(); } + + if ( reset_all ) + memset(&g_stats, 0, sizeof(g_stats)); } //------------------------------------------------------------------------- diff --git a/src/stream/base/stream_module.h b/src/stream/base/stream_module.h index a5341b160..6a0ce22c6 100644 --- a/src/stream/base/stream_module.h +++ b/src/stream/base/stream_module.h @@ -74,6 +74,8 @@ struct BaseStats PegCount reload_allowed_flow_deletes; PegCount reload_blocked_flow_deletes; PegCount reload_offloaded_flow_deletes; + + // Keep the NOW stats at the bottom as it requires special sum_stats logic PegCount current_flows; PegCount uni_flows; PegCount uni_ip_flows; diff --git a/src/stream/tcp/segment_overlap_editor.cc b/src/stream/tcp/segment_overlap_editor.cc index 4b64755a6..1f7dec8b8 100644 --- a/src/stream/tcp/segment_overlap_editor.cc +++ b/src/stream/tcp/segment_overlap_editor.cc @@ -215,7 +215,7 @@ void SegmentOverlapEditor::left_overlap_keep_first(TcpReassemblerState& trs) unsigned offset = trs.sos.tsd->get_seq() - trs.sos.left->i_seq; trs.sos.tsd->rewrite_payload(0, trs.sos.left->data + offset); } - tcp_norm_stats[PC_TCP_IPS_DATA][trs.sos.tcp_ips_data]++; + norm_stats[PC_TCP_IPS_DATA][trs.sos.tcp_ips_data]++; } else { @@ -227,7 +227,7 @@ void SegmentOverlapEditor::left_overlap_keep_first(TcpReassemblerState& trs) trs.sos.tsd->rewrite_payload(0, trs.sos.left->data + offset, length); } - tcp_norm_stats[PC_TCP_IPS_DATA][trs.sos.tcp_ips_data]++; + norm_stats[PC_TCP_IPS_DATA][trs.sos.tcp_ips_data]++; } trs.sos.seq += trs.sos.overlap; @@ -335,7 +335,7 @@ void SegmentOverlapEditor::right_overlap_truncate_new(TcpReassemblerState& trs) trs.sos.tsd->rewrite_payload(offset, trs.sos.right->data, length); } - tcp_norm_stats[PC_TCP_IPS_DATA][trs.sos.tcp_ips_data]++; + norm_stats[PC_TCP_IPS_DATA][trs.sos.tcp_ips_data]++; trs.sos.trunc_len = trs.sos.overlap; } @@ -349,7 +349,7 @@ void SegmentOverlapEditor::full_right_overlap_truncate_new(TcpReassemblerState& trs.sos.tsd->rewrite_payload(offset, trs.sos.right->data, trs.sos.right->i_len); } - tcp_norm_stats[PC_TCP_IPS_DATA][trs.sos.tcp_ips_data]++; + norm_stats[PC_TCP_IPS_DATA][trs.sos.tcp_ips_data]++; if ( SEQ_EQ(trs.sos.right->i_seq, trs.sos.seq) ) { diff --git a/src/stream/tcp/segment_overlap_editor.h b/src/stream/tcp/segment_overlap_editor.h index 618b2f660..6a769964d 100644 --- a/src/stream/tcp/segment_overlap_editor.h +++ b/src/stream/tcp/segment_overlap_editor.h @@ -24,7 +24,7 @@ #include -#include "normalize/normalize.h" +#include "normalize/norm_stats.h" #include "stream/paf.h" #include "tcp_segment_node.h" diff --git a/src/stream/tcp/tcp_normalizer.cc b/src/stream/tcp/tcp_normalizer.cc index 5d20ed354..0c23e6491 100644 --- a/src/stream/tcp/tcp_normalizer.cc +++ b/src/stream/tcp/tcp_normalizer.cc @@ -31,39 +31,13 @@ using namespace snort; -THREAD_LOCAL PegCount tcp_norm_stats[PC_TCP_MAX][NORM_MODE_MAX]; - -static const PegInfo pegName[] = -{ - { CountType::SUM, "tcp_trim_syn", "tcp segments trimmed on SYN" }, - { CountType::SUM, "tcp_trim_rst", "RST packets with data trimmed" }, - { CountType::SUM, "tcp_trim_win", "data trimmed to window" }, - { CountType::SUM, "tcp_trim_mss", "data trimmed to MSS" }, - { CountType::SUM, "tcp_ecn_session", "ECN bits cleared" }, - { CountType::SUM, "tcp_ts_nop", "timestamp options cleared" }, - { CountType::SUM, "tcp_ips_data", "normalized segments" }, - { CountType::SUM, "tcp_block", "blocked segments" }, - { CountType::END, nullptr, nullptr } -}; - -const PegInfo* TcpNormalizer::get_normalization_pegs() -{ - return pegName; -} - -NormPegs TcpNormalizer::get_normalization_counts(unsigned& c) -{ - c = PC_TCP_MAX; - return tcp_norm_stats; -} - bool TcpNormalizer::trim_payload(TcpNormalizerState&, TcpSegmentDescriptor& tsd, uint32_t max, - NormMode mode, TcpPegCounts peg, bool force) + NormMode mode, PegCounts peg, bool force) { if ( force ) mode = NORM_MODE_ON; - tcp_norm_stats[peg][mode]++; + norm_stats[peg][mode]++; if ( mode == NORM_MODE_ON ) { @@ -79,7 +53,7 @@ bool TcpNormalizer::trim_payload(TcpNormalizerState&, TcpSegmentDescriptor& tsd, bool TcpNormalizer::strip_tcp_timestamp( TcpNormalizerState&, TcpSegmentDescriptor& tsd, const tcp::TcpOption* opt, NormMode mode) { - tcp_norm_stats[PC_TCP_TS_NOP][mode]++; + norm_stats[PC_TCP_TS_NOP][mode]++; if (mode == NORM_MODE_ON) { @@ -100,7 +74,7 @@ bool TcpNormalizer::packet_dropper( const int8_t mode = (f == NORM_TCP_BLOCK) ? tns.tcp_block : tns.opt_block; - tcp_norm_stats[PC_TCP_BLOCK][mode]++; + norm_stats[PC_TCP_BLOCK][mode]++; if (mode == NORM_MODE_ON) { @@ -166,7 +140,7 @@ void TcpNormalizer::ecn_stripper( tsd.set_packet_flags(PKT_MODIFIED); } - tcp_norm_stats[PC_TCP_ECN_SSN][tns.strip_ecn]++; + norm_stats[PC_TCP_ECN_SSN][tns.strip_ecn]++; } } @@ -427,7 +401,7 @@ uint16_t TcpNormalizer::set_urg_offset( void TcpNormalizer::reset_stats() { - for (int i = 0; i < PC_TCP_MAX; i++) + for (int i = TCP_PEGS_START; i < PC_MAX; i++) for (int j = 0; j < NORM_MODE_MAX; j++) - tcp_norm_stats[i][j] = 0; + norm_stats[i][j] = 0; } diff --git a/src/stream/tcp/tcp_normalizer.h b/src/stream/tcp/tcp_normalizer.h index f123e4518..e9d6b8e82 100644 --- a/src/stream/tcp/tcp_normalizer.h +++ b/src/stream/tcp/tcp_normalizer.h @@ -26,23 +26,9 @@ #include "main/thread.h" #include "normalize/normalize.h" +#include "normalize/norm_stats.h" #include "protocols/tcp_options.h" -enum TcpPegCounts -{ - PC_TCP_TRIM_SYN, - PC_TCP_TRIM_RST, - PC_TCP_TRIM_WIN, - PC_TCP_TRIM_MSS, - PC_TCP_ECN_SSN, - PC_TCP_TS_NOP, - PC_TCP_IPS_DATA, - PC_TCP_BLOCK, - PC_TCP_MAX -}; - -extern THREAD_LOCAL PegCount tcp_norm_stats[PC_TCP_MAX][NORM_MODE_MAX]; - class TcpStreamSession; class TcpStreamTracker; class TcpSegmentDescriptor; @@ -93,14 +79,12 @@ public: virtual int handle_repeated_syn(State&, TcpSegmentDescriptor&) = 0; virtual uint16_t set_urg_offset(State&, const snort::tcp::TCPHdr* tcph, uint16_t dsize); - static const PegInfo* get_normalization_pegs(); - static NormPegs get_normalization_counts(unsigned&); static void reset_stats(); protected: TcpNormalizer() = default; - virtual bool trim_payload(State&, TcpSegmentDescriptor&, uint32_t, NormMode, TcpPegCounts, + virtual bool trim_payload(State&, TcpSegmentDescriptor&, uint32_t, NormMode, PegCounts, bool force = false); virtual bool strip_tcp_timestamp( State&, TcpSegmentDescriptor&, const snort::tcp::TcpOption*, NormMode);