From ad153d7b350be40a5a9daac2c53aa166a15d336d Mon Sep 17 00:00:00 2001 From: Juliana Fajardini Date: Tue, 5 Apr 2022 16:54:29 -0300 Subject: [PATCH] detect/stats: log out total of discarded alerts Add a counter to our stats log with the total of alerts that have been discarded due to packet alert queue overflow. Also included a fix for Bug #5354 Task #5179 (cherry picked from commit 04eefa5ab8008c06c8c19e56b06774d07bab91c7) --- src/decode.h | 139 +++++++++++++++++++------------------- src/detect-engine-alert.c | 4 ++ src/detect-engine.c | 2 + src/detect.c | 4 ++ src/detect.h | 2 + 5 files changed, 83 insertions(+), 68 deletions(-) diff --git a/src/decode.h b/src/decode.h index 60949a8203..428e7eebff 100644 --- a/src/decode.h +++ b/src/decode.h @@ -293,6 +293,7 @@ extern uint16_t packet_alert_max; typedef struct PacketAlerts_ { uint16_t cnt; + uint16_t discarded; PacketAlert *alerts; /* single pa used when we're dropping, * so we can log it out in the drop log. */ @@ -757,74 +758,76 @@ void CaptureStatsSetup(ThreadVars *tv, CaptureStats *s); /** * \brief Recycle a packet structure for reuse. */ -#define PACKET_REINIT(p) do { \ - CLEAR_ADDR(&(p)->src); \ - CLEAR_ADDR(&(p)->dst); \ - (p)->sp = 0; \ - (p)->dp = 0; \ - (p)->proto = 0; \ - (p)->recursion_level = 0; \ - PACKET_FREE_EXTDATA((p)); \ - (p)->flags = (p)->flags & PKT_ALLOC; \ - (p)->flowflags = 0; \ - (p)->pkt_src = 0; \ - (p)->vlan_id[0] = 0; \ - (p)->vlan_id[1] = 0; \ - (p)->vlan_idx = 0; \ - (p)->ts.tv_sec = 0; \ - (p)->ts.tv_usec = 0; \ - (p)->datalink = 0; \ - (p)->action = 0; \ - if ((p)->pktvar != NULL) { \ - PktVarFree((p)->pktvar); \ - (p)->pktvar = NULL; \ - } \ - (p)->ethh = NULL; \ - if ((p)->ip4h != NULL) { \ - CLEAR_IPV4_PACKET((p)); \ - } \ - if ((p)->ip6h != NULL) { \ - CLEAR_IPV6_PACKET((p)); \ - } \ - if ((p)->tcph != NULL) { \ - CLEAR_TCP_PACKET((p)); \ - } \ - if ((p)->udph != NULL) { \ - CLEAR_UDP_PACKET((p)); \ - } \ - if ((p)->sctph != NULL) { \ - CLEAR_SCTP_PACKET((p)); \ - } \ - if ((p)->icmpv4h != NULL) { \ - CLEAR_ICMPV4_PACKET((p)); \ - } \ - if ((p)->icmpv6h != NULL) { \ - CLEAR_ICMPV6_PACKET((p)); \ - } \ - (p)->ppph = NULL; \ - (p)->pppoesh = NULL; \ - (p)->pppoedh = NULL; \ - (p)->greh = NULL; \ - (p)->payload = NULL; \ - (p)->payload_len = 0; \ - (p)->BypassPacketsFlow = NULL; \ - (p)->pktlen = 0; \ - (p)->alerts.cnt = 0; \ - (p)->alerts.drop.action = 0; \ - (p)->pcap_cnt = 0; \ - (p)->tunnel_rtv_cnt = 0; \ - (p)->tunnel_tpr_cnt = 0; \ - (p)->events.cnt = 0; \ - AppLayerDecoderEventsResetEvents((p)->app_layer_events); \ - (p)->next = NULL; \ - (p)->prev = NULL; \ - (p)->root = NULL; \ - (p)->livedev = NULL; \ - PACKET_RESET_CHECKSUMS((p)); \ - PACKET_PROFILING_RESET((p)); \ - p->tenant_id = 0; \ - p->nb_decoded_layers = 0; \ - } while (0) +#define PACKET_REINIT(p) \ + do { \ + CLEAR_ADDR(&(p)->src); \ + CLEAR_ADDR(&(p)->dst); \ + (p)->sp = 0; \ + (p)->dp = 0; \ + (p)->proto = 0; \ + (p)->recursion_level = 0; \ + PACKET_FREE_EXTDATA((p)); \ + (p)->flags = (p)->flags & PKT_ALLOC; \ + (p)->flowflags = 0; \ + (p)->pkt_src = 0; \ + (p)->vlan_id[0] = 0; \ + (p)->vlan_id[1] = 0; \ + (p)->vlan_idx = 0; \ + (p)->ts.tv_sec = 0; \ + (p)->ts.tv_usec = 0; \ + (p)->datalink = 0; \ + (p)->action = 0; \ + if ((p)->pktvar != NULL) { \ + PktVarFree((p)->pktvar); \ + (p)->pktvar = NULL; \ + } \ + (p)->ethh = NULL; \ + if ((p)->ip4h != NULL) { \ + CLEAR_IPV4_PACKET((p)); \ + } \ + if ((p)->ip6h != NULL) { \ + CLEAR_IPV6_PACKET((p)); \ + } \ + if ((p)->tcph != NULL) { \ + CLEAR_TCP_PACKET((p)); \ + } \ + if ((p)->udph != NULL) { \ + CLEAR_UDP_PACKET((p)); \ + } \ + if ((p)->sctph != NULL) { \ + CLEAR_SCTP_PACKET((p)); \ + } \ + if ((p)->icmpv4h != NULL) { \ + CLEAR_ICMPV4_PACKET((p)); \ + } \ + if ((p)->icmpv6h != NULL) { \ + CLEAR_ICMPV6_PACKET((p)); \ + } \ + (p)->ppph = NULL; \ + (p)->pppoesh = NULL; \ + (p)->pppoedh = NULL; \ + (p)->greh = NULL; \ + (p)->payload = NULL; \ + (p)->payload_len = 0; \ + (p)->BypassPacketsFlow = NULL; \ + (p)->pktlen = 0; \ + (p)->alerts.cnt = 0; \ + (p)->alerts.discarded = 0; \ + (p)->alerts.drop.action = 0; \ + (p)->pcap_cnt = 0; \ + (p)->tunnel_rtv_cnt = 0; \ + (p)->tunnel_tpr_cnt = 0; \ + (p)->events.cnt = 0; \ + AppLayerDecoderEventsResetEvents((p)->app_layer_events); \ + (p)->next = NULL; \ + (p)->prev = NULL; \ + (p)->root = NULL; \ + (p)->livedev = NULL; \ + PACKET_RESET_CHECKSUMS((p)); \ + PACKET_PROFILING_RESET((p)); \ + p->tenant_id = 0; \ + p->nb_decoded_layers = 0; \ + } while (0) #define PACKET_RECYCLE(p) do { \ PACKET_RELEASE_REFS((p)); \ diff --git a/src/detect-engine-alert.c b/src/detect-engine-alert.c index 26c9ac9338..9b1b561170 100644 --- a/src/detect-engine-alert.c +++ b/src/detect-engine-alert.c @@ -267,6 +267,7 @@ void AlertQueueAppend(DetectEngineThreadCtx *det_ctx, const Signature *s, Packet /* we must grow the alert queue */ if (pos == AlertQueueExpand(det_ctx)) { /* this means we failed to expand the queue */ + p->alerts.discarded++; return; } } @@ -368,6 +369,7 @@ void PacketAlertFinalize(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx /* Thresholding removes this alert */ if (res == 0 || res == 2 || (s->flags & SIG_FLAG_NOALERT)) { /* we will not copy this to the AlertQueue */ + p->alerts.discarded++; } else if (p->alerts.cnt < packet_alert_max) { p->alerts.alerts[p->alerts.cnt] = det_ctx->alert_queue[i]; SCLogDebug("Appending sid %" PRIu32 " alert to Packet::alerts at pos %u", s->id, i); @@ -378,6 +380,8 @@ void PacketAlertFinalize(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx break; } p->alerts.cnt++; + } else { + p->alerts.discarded++; } i++; } diff --git a/src/detect-engine.c b/src/detect-engine.c index 0d48d2a440..53e8d0c9cd 100644 --- a/src/detect-engine.c +++ b/src/detect-engine.c @@ -2910,6 +2910,8 @@ TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data) /** alert counter setup */ det_ctx->counter_alerts = StatsRegisterCounter("detect.alert", tv); + det_ctx->counter_alerts_overflow = + StatsRegisterCounter("detect.alert_queue_overflow", tv); #ifdef PROFILING det_ctx->counter_mpm_list = StatsRegisterAvgCounter("detect.mpm_list", tv); det_ctx->counter_nonmpm_list = StatsRegisterAvgCounter("detect.nonmpm_list", tv); diff --git a/src/detect.c b/src/detect.c index 841ef778e2..d487a941ad 100644 --- a/src/detect.c +++ b/src/detect.c @@ -822,6 +822,7 @@ static DetectRunScratchpad DetectRunSetup( #ifdef UNITTESTS p->alerts.cnt = 0; + p->alerts.discarded = 0; #endif det_ctx->ticker++; det_ctx->filestore_cnt = 0; @@ -931,6 +932,9 @@ static inline void DetectRunPostRules( if (p->alerts.cnt > 0) { StatsAddUI64(tv, det_ctx->counter_alerts, (uint64_t)p->alerts.cnt); } + if (p->alerts.discarded > 0) { + StatsAddUI64(tv, det_ctx->counter_alerts_overflow, (uint64_t)p->alerts.discarded); + } PACKET_PROFILING_DETECT_END(p, PROF_DETECT_ALERT); } diff --git a/src/detect.h b/src/detect.h index ea3c0b8ae5..ba4283c06c 100644 --- a/src/detect.h +++ b/src/detect.h @@ -1045,6 +1045,8 @@ typedef struct DetectEngineThreadCtx_ { /** id for alert counter */ uint16_t counter_alerts; + /** id for discarded alerts counter**/ + uint16_t counter_alerts_overflow; #ifdef PROFILING uint16_t counter_mpm_list; uint16_t counter_nonmpm_list; -- 2.47.2