From 8d0b09015053e37898ffd8f56d4783035728c483 Mon Sep 17 00:00:00 2001
From: Victor Julien <victor@inliniac.net>
Date: Mon, 21 Jul 2014 21:09:06 +0200
Subject: [PATCH] engine-analysis: print fast_pattern summary

When using engine analysis for print fast_pattern stats, print a
short summary at the end containing per buffer:
- smallest fp
- biggest fp
- number of patterns
- avg fp len
---
 src/detect-engine-analyzer.c | 44 ++++++++++++++++++++++++++++++++++++
 1 file changed, 44 insertions(+)

diff --git a/src/detect-engine-analyzer.c b/src/detect-engine-analyzer.c
index 024c3c866d..291e560bee 100644
--- a/src/detect-engine-analyzer.c
+++ b/src/detect-engine-analyzer.c
@@ -27,6 +27,7 @@
 #include "suricata.h"
 #include "detect.h"
 #include "detect-parse.h"
+#include "detect-engine.h"
 #include "detect-engine-analyzer.h"
 #include "detect-engine-mpm.h"
 #include "conf.h"
@@ -42,6 +43,31 @@ static pcre *percent_re = NULL;
 static pcre_extra *percent_re_study = NULL;
 static char log_path[PATH_MAX];
 
+typedef struct FpPatternStats_ {
+    uint16_t min;
+    uint16_t max;
+    uint32_t cnt;
+    uint64_t tot;
+} FpPatternStats;
+
+static FpPatternStats fp_pattern_stats[DETECT_SM_LIST_MAX];
+
+static void FpPatternStatsAdd(int list, uint16_t patlen)
+{
+    FpPatternStats *f = &fp_pattern_stats[list];
+
+    if (f->min == 0)
+        f->min = patlen;
+    else if (patlen < f->min)
+        f->min = patlen;
+
+    if (patlen > f->max)
+        f->max = patlen;
+
+    f->cnt++;
+    f->tot += patlen;
+}
+
 void EngineAnalysisFP(Signature *s, char *line)
 {
     int fast_pattern_set = 0;
@@ -162,10 +188,14 @@ void EngineAnalysisFP(Signature *s, char *line)
         fprintf(fp_engine_analysis_FD, "        Final content: ");
         PrintRawUriFp(fp_engine_analysis_FD, pat, patlen);
         fprintf(fp_engine_analysis_FD, "\n");
+
+        FpPatternStatsAdd(list_type, patlen);
     } else {
         fprintf(fp_engine_analysis_FD, "        Final content: ");
         PrintRawUriFp(fp_engine_analysis_FD, pat, patlen);
         fprintf(fp_engine_analysis_FD, "\n");
+
+        FpPatternStatsAdd(list_type, patlen);
     }
     SCFree(pat);
 
@@ -220,6 +250,7 @@ int SetupFPAnalyzer(void)
     fprintf(fp_engine_analysis_FD, "----------------------------------------------"
             "---------------------\n");
 
+    memset(&fp_pattern_stats, 0, sizeof(fp_pattern_stats));
     return 1;
 }
 
@@ -286,6 +317,19 @@ int SetupRuleAnalyzer(void)
 
 void CleanupFPAnalyzer(void)
 {
+    fprintf(fp_engine_analysis_FD, "============\n"
+        "Summary:\n============\n");
+    int i;
+    for (i = 0; i < DETECT_SM_LIST_MAX; i++) {
+        FpPatternStats *f = &fp_pattern_stats[i];
+        if (f->cnt == 0)
+            continue;
+
+        fprintf(fp_engine_analysis_FD,
+            "%s, smallest pattern %u byte(s), longest pattern %u byte(s), number of patterns %u, avg pattern len %.2f byte(s)\n",
+            DetectSigmatchListEnumToString(i), f->min, f->max, f->cnt, (float)((double)f->tot/(float)f->cnt));
+    }
+
     if (fp_engine_analysis_FD != NULL) {
         fclose(fp_engine_analysis_FD);
         fp_engine_analysis_FD = NULL;
-- 
2.47.2