From: Russ Combs Date: Fri, 28 Oct 2016 11:34:52 +0000 (-0400) Subject: move offload_limit to detection; use trace feature X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e3264ed74d0586d883575f010a2df6003e29bd62;p=thirdparty%2Fsnort3.git move offload_limit to detection; use trace feature --- diff --git a/src/detection/context_switcher.cc b/src/detection/context_switcher.cc index 71b0743d0..ce95832ac 100644 --- a/src/detection/context_switcher.cc +++ b/src/detection/context_switcher.cc @@ -26,7 +26,10 @@ #include +#include "main/modules.h" +#include "main/snort_debug.h" #include "utils/stats.h" + #include "ips_context.h" #ifdef UNIT_TEST @@ -70,8 +73,8 @@ void ContextSwitcher::start() { assert(busy.empty()); assert(idle.size() > 0); -//printf("%ld cs::start %u (i=%lu, b=%lu)\n", -// pc.total_from_daq, idle.back()->get_slot(), idle.size(), busy.size()); + trace_logf(detection, "%ld cs::start %u (i=%lu, b=%lu)\n", + pc.total_from_daq, idle.back()->get_slot(), idle.size(), busy.size()); busy.push_back(idle.back()); idle.pop_back(); } @@ -79,16 +82,16 @@ void ContextSwitcher::start() void ContextSwitcher::stop() { assert(busy.size() == 1); -//printf("%ld cs::stop %u (i=%lu, b=%lu)\n", -// pc.total_from_daq, busy.back()->get_slot(), idle.size(), busy.size()); + trace_logf(detection, "%ld cs::stop %u (i=%lu, b=%lu)\n", + pc.total_from_daq, busy.back()->get_slot(), idle.size(), busy.size()); idle.push_back(busy.back()); busy.pop_back(); } void ContextSwitcher::abort() { -//printf("%ld cs::abort (i=%lu, b=%lu)\n", -// pc.total_from_daq, idle.size(), busy.size()); + trace_logf(detection, "%ld cs::abort (i=%lu, b=%lu)\n", + pc.total_from_daq, idle.size(), busy.size()); for ( unsigned i = 0; i < hold.capacity(); ++i ) { if ( hold[i] ) @@ -107,8 +110,8 @@ void ContextSwitcher::abort() IpsContext* ContextSwitcher::interrupt() { assert(!idle.empty()); -//printf("%ld cs::interrupt %u (i=%lu, b=%lu)\n", -// pc.total_from_daq, idle.back()->get_slot(), idle.size(), busy.size()); + trace_logf(detection, "%ld cs::interrupt %u (i=%lu, b=%lu)\n", + pc.total_from_daq, idle.back()->get_slot(), idle.size(), busy.size()); busy.push_back(idle.back()); idle.pop_back(); return busy.back(); @@ -117,8 +120,8 @@ IpsContext* ContextSwitcher::interrupt() IpsContext* ContextSwitcher::complete() { assert(!busy.empty()); -//printf("%ld cs::complete %u (i=%lu, b=%lu)\n", -// pc.total_from_daq, busy.back()->get_slot(), idle.size(), busy.size()); + trace_logf(detection, "%ld cs::complete %u (i=%lu, b=%lu)\n", + pc.total_from_daq, busy.back()->get_slot(), idle.size(), busy.size()); idle.push_back(busy.back()); busy.pop_back(); return busy.empty() ? nullptr : busy.back(); @@ -127,8 +130,8 @@ IpsContext* ContextSwitcher::complete() unsigned ContextSwitcher::suspend() { assert(!busy.empty()); -//printf("%ld cs::suspend %u (i=%lu, b=%lu)\n", -// pc.total_from_daq, busy.back()->get_slot(), idle.size(), busy.size()); + trace_logf(detection, "%ld cs::suspend %u (i=%lu, b=%lu)\n", + pc.total_from_daq, busy.back()->get_slot(), idle.size(), busy.size()); IpsContext* c = busy.back(); busy.pop_back(); unsigned slot = c->get_slot(); @@ -140,8 +143,8 @@ unsigned ContextSwitcher::suspend() void ContextSwitcher::resume(unsigned slot) { assert(slot <= hold.capacity()); -//printf("%ld cs::resume %u (i=%lu, b=%lu)\n", -// pc.total_from_daq, slot, idle.size(), busy.size()); + trace_logf(detection, "%ld cs::resume %u (i=%lu, b=%lu)\n", + pc.total_from_daq, slot, idle.size(), busy.size()); busy.push_back(hold[slot]); hold[slot] = nullptr; } diff --git a/src/detection/detection_engine.cc b/src/detection/detection_engine.cc index 24c13e248..6218595f4 100644 --- a/src/detection/detection_engine.cc +++ b/src/detection/detection_engine.cc @@ -25,8 +25,10 @@ #include "framework/endianness.h" #include "helpers/ring.h" #include "latency/packet_latency.h" +#include "main/modules.h" #include "main/snort.h" #include "main/snort_config.h" +#include "main/snort_debug.h" #include "main/thread.h" #include "managers/inspector_manager.h" #include "packet_io/active.h" @@ -43,6 +45,8 @@ #include "fp_detect.h" #include "ips_context.h" +Trace TRACE_NAME(detection); + THREAD_LOCAL DetectionEngine::ActiveRules active_rules = DetectionEngine::NONE; static THREAD_LOCAL unsigned s_events = 0; @@ -183,11 +187,11 @@ void DetectionEngine::idle() while ( !offload_ids->empty() ) { const struct timespec blip = { 0, 1 }; -//printf("%lu de::sleep\n", pc.total_from_daq); + trace_logf(detection, "%lu de::sleep\n", pc.total_from_daq); nanosleep(&blip, nullptr); onload(); } -//printf("%lu de::idle (r=%d)\n", pc.total_from_daq, offload_ids->count()); + trace_logf(detection, "%lu de::idle (r=%d)\n", pc.total_from_daq, offload_ids->count()); } void DetectionEngine::onload(Flow* flow) @@ -195,7 +199,7 @@ void DetectionEngine::onload(Flow* flow) while ( flow->test_session_flags(SSNFLAG_OFFLOAD) ) { const struct timespec blip = { 0, 1 }; -//printf("%lu de::sleep\n", pc.total_from_daq); + trace_logf(detection, "%lu de::sleep\n", pc.total_from_daq); nanosleep(&blip, nullptr); onload(); } @@ -212,7 +216,9 @@ void DetectionEngine::onload() if ( !c->onload ) return; -//printf("%lu de::onload %u (r=%d)\n", pc.total_from_daq, *id, offload_ids->count()); + trace_logf(detection, "%lu de::onload %u (r=%d)\n", + pc.total_from_daq, *id, offload_ids->count()); + Packet* p = c->packet; p->flow->clear_session_flags(SSNFLAG_OFFLOAD); @@ -233,9 +239,8 @@ void DetectionEngine::onload() bool DetectionEngine::offload(Packet* p) { ContextSwitcher* sw = Snort::get_switcher(); - FastPatternConfig* fp = snort_conf->fast_pattern_config; - if ( p->type() != PktType::PDU or (p->dsize < fp->get_offload_limit()) or !sw->can_hold() ) + if ( p->type() != PktType::PDU or (p->dsize < snort_conf->offload_limit) or !sw->can_hold() ) { fp_local(p); return false; @@ -248,7 +253,9 @@ bool DetectionEngine::offload(Packet* p) unsigned id = sw->suspend(); offload_ids->put(id); -//printf("%lu de::offload %u (r=%d)\n", pc.total_from_daq, id, offload_ids->count()); + + trace_logf(detection, "%lu de::offload %u (r=%d)\n", + pc.total_from_daq, id, offload_ids->count()); p->context->onload = false; p->context->offload = new std::thread(fp_offload, p, snort_conf); diff --git a/src/detection/fp_config.cc b/src/detection/fp_config.cc index 885c0c107..a343cb7f7 100644 --- a/src/detection/fp_config.cc +++ b/src/detection/fp_config.cc @@ -46,8 +46,6 @@ FastPatternConfig::FastPatternConfig() search_api = MpseManager::get_search_api("ac_bnfa"); assert(search_api); trim = MpseManager::search_engine_trim(search_api); - - offload_limit = 99999; // FIXIT-H use common value } FastPatternConfig::~FastPatternConfig() diff --git a/src/detection/fp_config.h b/src/detection/fp_config.h index e4e85f1f0..e8152e2fd 100644 --- a/src/detection/fp_config.h +++ b/src/detection/fp_config.h @@ -64,12 +64,6 @@ public: int get_bleed_over_port_limit() { return bleedover_port_limit; } - void set_offload_limit(unsigned n) - { offload_limit = n; } - - unsigned get_offload_limit() - { return offload_limit; } - int get_single_rule_group() { return portlists_flags & PL_SINGLE_RULE_GROUP; } @@ -158,7 +152,6 @@ private: unsigned max_queue_events; unsigned bleedover_port_limit; - unsigned offload_limit; int search_opt; int portlists_flags; diff --git a/src/main/modules.cc b/src/main/modules.cc index fa4bccf73..3344d476d 100644 --- a/src/main/modules.cc +++ b/src/main/modules.cc @@ -69,6 +69,9 @@ static const Parameter detection_params[] = { "asn1", Parameter::PT_INT, "1:", "256", "maximum decode nodes" }, + { "offload_limit", Parameter::PT_INT, "0:", "99999", + "minimum sizeof PDU to offload fast pattern search (defaults to disabled)" }, + { "pcre_enable", Parameter::PT_BOOL, nullptr, "true", "disable pcre pattern matching" }, @@ -88,7 +91,8 @@ static const Parameter detection_params[] = class DetectionModule : public Module { public: - DetectionModule() : Module("detection", detection_help, detection_params) {} + DetectionModule() : + Module("detection", detection_help, detection_params, false, &TRACE_NAME(detection)) {} bool set(const char*, Value&, SnortConfig*) override; const PegInfo* get_pegs() const override @@ -98,11 +102,14 @@ public: { return (PegCount*) &pc; } }; -bool DetectionModule::set(const char*, Value& v, SnortConfig* sc) +bool DetectionModule::set(const char* fqn, Value& v, SnortConfig* sc) { if ( v.is("asn1") ) sc->asn1_mem = v.get_long(); + else if ( v.is("offload_limit") ) + sc->offload_limit = v.get_long(); + else if ( v.is("pcre_enable") ) v.update_mask(sc->run_flags, RUN_FLAG__NO_PCRE, true); @@ -113,7 +120,7 @@ bool DetectionModule::set(const char*, Value& v, SnortConfig* sc) sc->pcre_match_limit_recursion = v.get_long(); else - return false; + return Module::set(fqn, v, sc); return true; } @@ -221,9 +228,6 @@ static const Parameter search_engine_params[] = { "inspect_stream_inserts", Parameter::PT_BOOL, nullptr, "false", "inspect reassembled payload - disabling is good for performance, bad for detection" }, - { "offload_limit", Parameter::PT_INT, "0:", "99999", - "minimum sizeof PDU to offload fast pattern search (defaults to disabled)" }, - { "search_method", Parameter::PT_DYNAMIC, (void*)&get_search_methods, "ac_bnfa", "set fast pattern algorithm - choose available search engine" }, @@ -319,9 +323,6 @@ bool SearchEngineModule::set(const char*, Value& v, SnortConfig* sc) else if ( v.is("inspect_stream_inserts") ) fp->set_stream_insert(v.get_bool()); - else if ( v.is("offload_limit") ) - fp->set_offload_limit(v.get_long()); - else if ( v.is("search_method") ) { if ( !fp->set_detect_search_method(v.get_string()) ) diff --git a/src/main/modules.h b/src/main/modules.h index ffc85e152..639b21f20 100644 --- a/src/main/modules.h +++ b/src/main/modules.h @@ -24,7 +24,11 @@ // this is for builtin module initialization. // ideally, modules.cc would be refactored and several files. +#include "main/snort_debug.h" + void module_init(); +extern Trace TRACE_NAME(detection); // FIXIT-L refactor detection module out + #endif diff --git a/src/main/snort_config.h b/src/main/snort_config.h index e01df2cd9..2c397a784 100644 --- a/src/main/snort_config.h +++ b/src/main/snort_config.h @@ -183,6 +183,8 @@ public: int asn1_mem = 0; uint32_t run_flags = 0; + unsigned offload_limit = 99999; + //------------------------------------------------------ // process stuff