From 2c994c49871180db581cedef2ea1d053b98c8d10 Mon Sep 17 00:00:00 2001
From: "Mike Stepanek (mstepane)" <mstepane@cisco.com>
Date: Thu, 9 May 2019 12:53:50 -0400
Subject: [PATCH] Merge pull request #1592 in SNORT/snort3 from
 ~SMINUT/snort3:event_filter_memcap to master

Squashed commit of the following:

commit 2da9b2b60b98cf6c2bb901d6cfab0871fed0ce7f
Author: Silviu Minut <sminut@cisco.com>
Date:   Tue Apr 30 13:23:35 2019 -0400

    filters: make thd_runtime and rf_hash thread local and allocate them from thread init rather than from Module::end().
---
 src/filters/sfrf.cc        | 25 +++++++++++++++----------
 src/filters/sfrf.h         |  4 +++-
 src/filters/sfrf_test.cc   |  3 ++-
 src/filters/sfthd.cc       |  8 --------
 src/filters/sfthd.h        |  2 --
 src/filters/sfthreshold.cc | 23 +++++++++++++----------
 src/filters/sfthreshold.h  |  3 ++-
 src/main/analyzer.cc       | 10 +++++++++-
 src/main/snort.cc          |  5 +----
 9 files changed, 45 insertions(+), 38 deletions(-)

diff --git a/src/filters/sfrf.cc b/src/filters/sfrf.cc
index 55c3519dc..62a469ab9 100644
--- a/src/filters/sfrf.cc
+++ b/src/filters/sfrf.cc
@@ -26,6 +26,7 @@
 
 #include "sfrf.h"
 
+#include "main/thread.h"
 #include "detection/rules.h"
 #include "hash/ghash.h"
 #include "hash/xhash.h"
@@ -95,7 +96,7 @@ typedef struct
     time_t revertTime;
 } tSFRFTrackingNode;
 
-XHash* rf_hash = nullptr;
+static THREAD_LOCAL XHash* rf_hash = nullptr;
 
 // private methods ...
 static int _checkThreshold(
@@ -201,6 +202,19 @@ static void SFRF_SidNodeFree(void* item)
     snort_free(pSidnode);
 }
 
+int SFRF_Alloc(unsigned int memcap)
+{
+    if ( rf_hash == nullptr )
+    {
+        SFRF_New(memcap);
+
+        if ( rf_hash == nullptr )
+            return -1;
+    }
+    return 0;
+}
+
+
 /*  Add a permanent threshold object to the threshold table. Multiple
  * objects may be defined for each gid and sid pair. Internally
  * a unique threshold id is generated for each pair.
@@ -224,15 +238,6 @@ int SFRF_ConfigAdd(snort::SnortConfig*, RateFilterConfig* rf_config, tSFRFConfig
 
     PolicyId policy_id = snort::get_ips_policy()->policy_id;
 
-    // Auto init - memcap must be set 1st, which is not really a problem
-    if ( rf_hash == nullptr )
-    {
-        SFRF_New(rf_config->memcap);
-
-        if ( rf_hash == nullptr )
-            return -1;
-    }
-
     if ((rf_config == nullptr) || (cfgNode == nullptr))
         return -1;
 
diff --git a/src/filters/sfrf.h b/src/filters/sfrf.h
index c0d5f98de..eb3c6014b 100644
--- a/src/filters/sfrf.h
+++ b/src/filters/sfrf.h
@@ -178,5 +178,7 @@ inline bool is_internal_event_enabled(RateFilterConfig* config, uint32_t sid)
 
     return (config->internal_event_mask & (1 << sid));
 }
-#endif
 
+int SFRF_Alloc(unsigned int memcap);
+
+#endif
diff --git a/src/filters/sfrf_test.cc b/src/filters/sfrf_test.cc
index dc389ae09..012d3d846 100644
--- a/src/filters/sfrf_test.cc
+++ b/src/filters/sfrf_test.cc
@@ -896,6 +896,8 @@ static void Init(unsigned cap)
     rfc = RateFilter_ConfigNew();
     rfc->memcap = cap;
 
+    SFRF_Alloc(rfc->memcap);
+
     for ( unsigned i = 0; i < NUM_NODES; i++ )
     {
         RateData* p = rfData + i;
@@ -1014,4 +1016,3 @@ TEST_CASE("sfrf minimum memcap", "[sfrf]")
     }
     Term();
 }
-
diff --git a/src/filters/sfthd.cc b/src/filters/sfthd.cc
index 091a50074..2479e9e23 100644
--- a/src/filters/sfthd.cc
+++ b/src/filters/sfthd.cc
@@ -667,7 +667,6 @@ static inline int sfthd_test_suppress(
 #endif
         /* Don't log, and stop looking( event's to this address
          * for this gen_id+sig_id) */
-        sfthd_node->filtered++;
         return -1;
     }
     return 1; /* Keep looking for other suppressors */
@@ -716,7 +715,6 @@ static inline int sfthd_test_non_suppress(
 
         /* Don't Log yet, don't keep looking:
          * already logged our limit, don't log this sid  */
-        sfthd_node->filtered++;
         return -2;
     }
     if ( sfthd_node->type == THD_TYPE_LIMIT )
@@ -746,7 +744,6 @@ static inline int sfthd_test_non_suppress(
 
         /* Don't Log yet, don't keep looking:
          * already logged our limit, don't log this sid  */
-        sfthd_node->filtered++;
         return -2;
     }
     else if ( sfthd_node->type == THD_TYPE_THRESHOLD )
@@ -768,7 +765,6 @@ static inline int sfthd_test_non_suppress(
             sfthd_ip_node->tstart= curtime;
             return 0; /* Log it, stop looking */
         }
-        sfthd_node->filtered++;
         return -2; /* don't log yet */
     }
     else if ( sfthd_node->type == THD_TYPE_BOTH )
@@ -785,7 +781,6 @@ static inline int sfthd_test_non_suppress(
 
             /* Don't Log yet, keep looking:
              * only log after we reach count, which must be > '1' */
-            sfthd_node->filtered++;
             return -2;
         }
         else
@@ -796,7 +791,6 @@ static inline int sfthd_test_non_suppress(
                 {
                     /* don't log it, stop looking:
                      * log once per time interval - than block it */
-                    sfthd_node->filtered++;
                     return -2;
                 }
                 /* Log it, stop looking:
@@ -807,7 +801,6 @@ static inline int sfthd_test_non_suppress(
             {
                 /* don't log it, stop looking:
                  * we must see at least count events 1st */
-                sfthd_node->filtered++;
                 return -2;
             }
         }
@@ -1283,4 +1276,3 @@ int sfthd_show_objects(ThresholdObjects* thd_objs)
 }
 
 #endif // THD_DEBUG
-
diff --git a/src/filters/sfthd.h b/src/filters/sfthd.h
index 4a9de016f..07fdb3801 100644
--- a/src/filters/sfthd.h
+++ b/src/filters/sfthd.h
@@ -132,7 +132,6 @@ struct THD_NODE
     int priority;
     int count;
     unsigned seconds;
-    uint64_t filtered;
     sfip_var_t* ip_address;
 };
 
@@ -253,4 +252,3 @@ int sfthd_show_objects(THD_STRUCT* thd);
 #endif
 
 #endif
-
diff --git a/src/filters/sfthreshold.cc b/src/filters/sfthreshold.cc
index 0c8b0258a..9ebacd599 100644
--- a/src/filters/sfthreshold.cc
+++ b/src/filters/sfthreshold.cc
@@ -50,7 +50,7 @@
 #include "sfthd.h"
 
 /* Data */
-THD_STRUCT* thd_runtime = nullptr;
+static THREAD_LOCAL THD_STRUCT* thd_runtime = nullptr;
 
 static THREAD_LOCAL int thd_checked = 0; // per packet
 static THREAD_LOCAL int thd_answer = 0;  // per packet
@@ -92,6 +92,18 @@ void sfthreshold_free()
     thd_runtime = nullptr;
 }
 
+int sfthreshold_alloc(unsigned int l_memcap, unsigned int g_memcap)
+{
+    if (thd_runtime == nullptr)
+    {
+        thd_runtime = sfthd_new(l_memcap, g_memcap);
+        if (thd_runtime == nullptr)
+            return -1;
+    }
+    return 0;
+}
+
+
 int sfthreshold_create(
     snort::SnortConfig* sc, ThresholdConfig* thd_config, THDX_STRUCT* thdx)
 {
@@ -101,14 +113,6 @@ int sfthreshold_create(
     if (!thd_config->enabled)
         return 0;
 
-    /* Auto init - memcap must be set 1st, which is not really a problem */
-    if (thd_runtime == nullptr)
-    {
-        thd_runtime = sfthd_new(thd_config->memcap, thd_config->memcap);
-        if (thd_runtime == nullptr)
-            return -1;
-    }
-
     /* print_thdx( thdx ); */
 
     /* Add the object to the table - */
@@ -162,4 +166,3 @@ void sfthreshold_reset()
 {
     thd_checked = 0;
 }
-
diff --git a/src/filters/sfthreshold.h b/src/filters/sfthreshold.h
index 1acd26044..7585e48db 100644
--- a/src/filters/sfthreshold.h
+++ b/src/filters/sfthreshold.h
@@ -43,5 +43,6 @@ int sfthreshold_test(
     unsigned int, unsigned int, const snort::SfIp*, const snort::SfIp*, long curtime);
 void sfthreshold_free();
 
-#endif
+int sfthreshold_alloc(unsigned int l_memcap, unsigned int g_memcap);
 
+#endif
diff --git a/src/main/analyzer.cc b/src/main/analyzer.cc
index 4b3df8818..0a915adca 100644
--- a/src/main/analyzer.cc
+++ b/src/main/analyzer.cc
@@ -35,6 +35,8 @@
 #include "detection/tag.h"
 #include "file_api/file_service.h"
 #include "filters/detection_filter.h"
+#include "filters/rate_filter.h"
+#include "filters/sfrf.h"
 #include "filters/sfthreshold.h"
 #include "flow/ha.h"
 #include "framework/data_bus.h"
@@ -491,6 +493,10 @@ void Analyzer::init_unprivileged()
     // in case there are HA messages waiting, process them first
     HighAvailabilityManager::process_receive();
     PacketManager::thread_init();
+
+    // init filters hash tables that depend on alerts
+    sfthreshold_alloc(sc->threshold_config->memcap, sc->threshold_config->memcap);
+    SFRF_Alloc(sc->rate_filter_config->memcap);
 }
 
 void Analyzer::reinit(SnortConfig* sc)
@@ -546,6 +552,9 @@ void Analyzer::term()
 
     Active::thread_term();
     delete switcher;
+
+    sfthreshold_free();
+    RateFilter_Cleanup();
 }
 
 Analyzer::Analyzer(SFDAQInstance* instance, unsigned i, const char* s, uint64_t msg_cnt)
@@ -792,4 +801,3 @@ void Analyzer::rotate()
 {
     DataBus::publish(THREAD_ROTATE_EVENT, nullptr);
 }
-
diff --git a/src/main/snort.cc b/src/main/snort.cc
index 93e008f5f..86d1c6d55 100644
--- a/src/main/snort.cc
+++ b/src/main/snort.cc
@@ -35,6 +35,7 @@
 #include "detection/fp_detect.h"
 #include "file_api/file_service.h"
 #include "filters/rate_filter.h"
+#include "filters/sfrf.h"
 #include "filters/sfthreshold.h"
 #include "flow/ha.h"
 #include "framework/mpse.h"
@@ -386,9 +387,6 @@ void Snort::term()
 
     //MpseManager::print_search_engine_stats();
 
-    sfthreshold_free();  // FIXDAQ etc.
-    RateFilter_Cleanup();
-
     Periodic::unregister_all();
 
     LogMessage("%s  Snort exiting\n", get_prompt());
@@ -657,4 +655,3 @@ SnortConfig* Snort::get_updated_module(SnortConfig* other_conf, const char* name
     reloading = false;
     return sc;
 }
-
-- 
2.47.3