From 8616c90fe7573815137a1dbc7fdfeded95f2b38f Mon Sep 17 00:00:00 2001 From: Juliana Fajardini Date: Tue, 5 Apr 2022 16:54:29 -0300 Subject: [PATCH] detect/stats: log out total of discarded alerts Add a counter to our stats log with the total of alerts that have been discarded due to packet alert queue overflow. Task #5179 --- src/decode.h | 2 ++ src/detect-engine-alert.c | 4 ++++ src/detect-engine.c | 1 + src/detect.c | 4 ++++ src/detect.h | 2 ++ 5 files changed, 13 insertions(+) diff --git a/src/decode.h b/src/decode.h index a8d4075ab6..725a99cc56 100644 --- a/src/decode.h +++ b/src/decode.h @@ -304,6 +304,7 @@ extern uint16_t packet_alert_max; typedef struct PacketAlerts_ { uint16_t cnt; + uint16_t discarded; PacketAlert *alerts; /* single pa used when we're dropping, * so we can log it out in the drop log. */ @@ -839,6 +840,7 @@ void CaptureStatsSetup(ThreadVars *tv, CaptureStats *s); (p)->BypassPacketsFlow = NULL; \ (p)->pktlen = 0; \ (p)->alerts.cnt = 0; \ + (p)->alerts.discarded = 0; \ (p)->alerts.drop.action = 0; \ (p)->pcap_cnt = 0; \ (p)->tunnel_rtv_cnt = 0; \ diff --git a/src/detect-engine-alert.c b/src/detect-engine-alert.c index a77a5554b2..45495b667d 100644 --- a/src/detect-engine-alert.c +++ b/src/detect-engine-alert.c @@ -269,6 +269,7 @@ void AlertQueueAppend(DetectEngineThreadCtx *det_ctx, const Signature *s, Packet /* we must grow the alert queue */ if (pos == AlertQueueExpand(det_ctx)) { /* this means we failed to expand the queue */ + det_ctx->p->alerts.discarded++; return; } } @@ -370,6 +371,7 @@ void PacketAlertFinalize(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx /* Thresholding removes this alert */ if (res == 0 || res == 2 || (s->flags & SIG_FLAG_NOALERT)) { /* we will not copy this to the AlertQueue */ + p->alerts.discarded++; } else if (p->alerts.cnt < packet_alert_max) { p->alerts.alerts[p->alerts.cnt] = det_ctx->alert_queue[i]; SCLogDebug("Appending sid %" PRIu32 " alert to Packet::alerts at pos %u", s->id, i); @@ -380,6 +382,8 @@ void PacketAlertFinalize(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx break; } p->alerts.cnt++; + } else { + p->alerts.discarded++; } i++; } diff --git a/src/detect-engine.c b/src/detect-engine.c index 97ebe76a05..d6018b1747 100644 --- a/src/detect-engine.c +++ b/src/detect-engine.c @@ -3173,6 +3173,7 @@ TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data) /** alert counter setup */ det_ctx->counter_alerts = StatsRegisterCounter("detect.alert", tv); + det_ctx->counter_alerts_overflow = StatsRegisterCounter("detect.alert_queue_overflow", tv); #ifdef PROFILING det_ctx->counter_mpm_list = StatsRegisterAvgCounter("detect.mpm_list", tv); det_ctx->counter_nonmpm_list = StatsRegisterAvgCounter("detect.nonmpm_list", tv); diff --git a/src/detect.c b/src/detect.c index 3feac39f3b..4946b75e67 100644 --- a/src/detect.c +++ b/src/detect.c @@ -828,6 +828,7 @@ static DetectRunScratchpad DetectRunSetup( #ifdef UNITTESTS p->alerts.cnt = 0; + p->alerts.discarded = 0; #endif det_ctx->filestore_cnt = 0; det_ctx->base64_decoded_len = 0; @@ -936,6 +937,9 @@ static inline void DetectRunPostRules( if (p->alerts.cnt > 0) { StatsAddUI64(tv, det_ctx->counter_alerts, (uint64_t)p->alerts.cnt); } + if (p->alerts.discarded > 0) { + StatsAddUI64(tv, det_ctx->counter_alerts_overflow, (uint64_t)p->alerts.discarded); + } PACKET_PROFILING_DETECT_END(p, PROF_DETECT_ALERT); } diff --git a/src/detect.h b/src/detect.h index 967e0b63fc..42e2fbdccb 100644 --- a/src/detect.h +++ b/src/detect.h @@ -1094,6 +1094,8 @@ typedef struct DetectEngineThreadCtx_ { /** id for alert counter */ uint16_t counter_alerts; + /** id for discarded alerts counter**/ + uint16_t counter_alerts_overflow; #ifdef PROFILING uint16_t counter_mpm_list; uint16_t counter_nonmpm_list; -- 2.47.2