From 56000acefb7b4f50926f6fb9ecada12e4710c1ac Mon Sep 17 00:00:00 2001 From: Giuseppe Longo Date: Fri, 9 Oct 2015 08:59:48 +0200 Subject: [PATCH] detect-engine: add reload time/rules stats This patch adds the following stats for the detect engine: - time of the last reload - number of rules loaded - number of rules failed --- src/detect-engine.c | 1 + src/detect.c | 19 +++++++++---------- src/detect.h | 23 +++++++++++++++-------- src/suricata.c | 1 + 4 files changed, 26 insertions(+), 18 deletions(-) diff --git a/src/detect-engine.c b/src/detect-engine.c index 77d9b09fee..3bd758b0ab 100644 --- a/src/detect-engine.c +++ b/src/detect-engine.c @@ -1001,6 +1001,7 @@ static DetectEngineCtx *DetectEngineCtxInitReal(int minimal, const char *prefix) goto error; memset(de_ctx,0,sizeof(DetectEngineCtx)); + memset(&de_ctx->sig_stat, 0, sizeof(SigFileLoaderStat)); if (minimal) { de_ctx->minimal = 1; diff --git a/src/detect.c b/src/detect.c index c756ab2ec5..c2171483ed 100644 --- a/src/detect.c +++ b/src/detect.c @@ -453,15 +453,13 @@ int SigLoadSignatures(DetectEngineCtx *de_ctx, char *sig_file, int sig_file_excl ConfNode *rule_files; ConfNode *file = NULL; - SigFileLoaderStat sig_stat; + SigFileLoaderStat *sig_stat = &de_ctx->sig_stat; int ret = 0; char *sfile = NULL; char varname[128] = "rule-files"; int good_sigs = 0; int bad_sigs = 0; - memset(&sig_stat, 0, sizeof(SigFileLoaderStat)); - if (strlen(de_ctx->config_prefix) > 0) { snprintf(varname, sizeof(varname), "%s.rule-files", de_ctx->config_prefix); @@ -485,7 +483,7 @@ int SigLoadSignatures(DetectEngineCtx *de_ctx, char *sig_file, int sig_file_excl TAILQ_FOREACH(file, &rule_files->head, next) { sfile = DetectLoadCompleteSigPath(de_ctx, file->val); good_sigs = bad_sigs = 0; - ret = ProcessSigFiles(de_ctx, sfile, &sig_stat, &good_sigs, &bad_sigs); + ret = ProcessSigFiles(de_ctx, sfile, sig_stat, &good_sigs, &bad_sigs); SCFree(sfile); if (de_ctx->failure_fatal && ret != 0) { @@ -504,7 +502,7 @@ int SigLoadSignatures(DetectEngineCtx *de_ctx, char *sig_file, int sig_file_excl /* If a Signature file is specified from commandline, parse it too */ if (sig_file != NULL) { - ret = ProcessSigFiles(de_ctx, sig_file, &sig_stat, &good_sigs, &bad_sigs); + ret = ProcessSigFiles(de_ctx, sig_file, sig_stat, &good_sigs, &bad_sigs); if (ret != 0) { if (de_ctx->failure_fatal == 1) { @@ -518,9 +516,9 @@ int SigLoadSignatures(DetectEngineCtx *de_ctx, char *sig_file, int sig_file_excl } /* now we should have signatures to work with */ - if (sig_stat.good_sigs_total <= 0) { - if (sig_stat.total_files > 0) { - SCLogWarning(SC_ERR_NO_RULES_LOADED, "%d rule files specified, but no rule was loaded at all!", sig_stat.total_files); + if (sig_stat->good_sigs_total <= 0) { + if (sig_stat->total_files > 0) { + SCLogWarning(SC_ERR_NO_RULES_LOADED, "%d rule files specified, but no rule was loaded at all!", sig_stat->total_files); } else { SCLogInfo("No signatures supplied."); goto end; @@ -528,10 +526,10 @@ int SigLoadSignatures(DetectEngineCtx *de_ctx, char *sig_file, int sig_file_excl } else { /* we report the total of files and rules successfully loaded and failed */ SCLogInfo("%" PRId32 " rule files processed. %" PRId32 " rules successfully loaded, %" PRId32 " rules failed", - sig_stat.total_files, sig_stat.good_sigs_total, sig_stat.bad_sigs_total); + sig_stat->total_files, sig_stat->good_sigs_total, sig_stat->bad_sigs_total); } - if ((sig_stat.bad_sigs_total || sig_stat.bad_files) && de_ctx->failure_fatal) { + if ((sig_stat->bad_sigs_total || sig_stat->bad_files) && de_ctx->failure_fatal) { ret = -1; goto end; } @@ -549,6 +547,7 @@ int SigLoadSignatures(DetectEngineCtx *de_ctx, char *sig_file, int sig_file_excl ret = 0; end: + gettimeofday(&de_ctx->last_reload, NULL); if (RunmodeGetCurrent() == RUNMODE_ENGINE_ANALYSIS) { if (rule_engine_analysis_set) { CleanupRuleAnalyzer(); diff --git a/src/detect.h b/src/detect.h index f86b5876a2..49a7ed1e76 100644 --- a/src/detect.h +++ b/src/detect.h @@ -574,6 +574,14 @@ typedef struct ThresholdCtx_ { uint32_t th_size; } ThresholdCtx; +/** \brief Signature loader statistics */ +typedef struct SigFileLoaderStat_ { + int bad_files; + int total_files; + int good_sigs_total; + int bad_sigs_total; +} SigFileLoaderStat; + typedef struct DetectEngineThreadKeywordCtxItem_ { void *(*InitFunc)(void *); void (*FreeFunc)(void *); @@ -735,6 +743,13 @@ typedef struct DetectEngineCtx_ { * \todo we only need this at init, so perhaps this * can move to a DetectEngineCtx 'init' struct */ DetectMpmAppLayerKeyword *app_mpms; + + /** time of last ruleset reload */ + struct timeval last_reload; + + /** signatures stats */ + SigFileLoaderStat sig_stat; + } DetectEngineCtx; /* Engine groups profiles (low, medium, high, custom) */ @@ -1177,14 +1192,6 @@ typedef struct DetectEngineMasterCtx_ { int keyword_id; } DetectEngineMasterCtx; -/** \brief Signature loader statistics */ -typedef struct SigFileLoaderStat_ { - int bad_files; - int total_files; - int good_sigs_total; - int bad_sigs_total; -} SigFileLoaderStat; - /** Remember to add the options in SignatureIsIPOnly() at detect.c otherwise it wont be part of a signature group */ enum { diff --git a/src/suricata.c b/src/suricata.c index 136eb2ebaa..d3fea4bab6 100644 --- a/src/suricata.c +++ b/src/suricata.c @@ -2554,6 +2554,7 @@ static void PostConfLoadedDetectSetup(SCInstance *suri) } } + gettimeofday(&de_ctx->last_reload, NULL); DetectEngineAddToMaster(de_ctx); DetectEngineBumpVersion(); } else { -- 2.47.2