detect-engine-profile_8c_source.html

 /* Copyright (C) 2016 Open Information Security Foundation
  *
  * You can copy, redistribute or modify this Program under the terms of
  * the GNU General Public License version 2 as published by the Free
  * Software Foundation.
  *
  * This program is distributed in the hope that it will be useful,
  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  * GNU General Public License for more details.
  *
  * You should have received a copy of the GNU General Public License
  * version 2 along with this program; if not, write to the Free Software
  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
  * 02110-1301, USA.
  */

 /**
  * \file
  *
  * \author Victor Julien <victor@inliniac.net>
  *
  */

 #include "suricata-common.h"
 #include "suricata.h"
 #include "detect.h"
 #include "detect-parse.h"
 #include "detect-content.h"
 #include "output-json.h"
 #include "util-buffer.h"
 #include "util-print.h"
 #include "detect-engine-profile.h"

 #ifdef PROFILING
 #ifdef HAVE_LIBJANSSON
 #if 0
 static void DumpFp(const SigMatch *sm, char *pat_orig, uint32_t pat_orig_sz, char *pat_chop, uint32_t pat_chop_sz)
 {
     int fast_pattern_chop_set = 0;
     const DetectContentData *cd = (DetectContentData *)sm->ctx;

     if (cd->flags & DETECT_CONTENT_FAST_PATTERN) {
         if (cd->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) {
             fast_pattern_chop_set = 1;
         }
     }

     uint32_t off = 0;
     PrintRawUriBuf(pat_orig, &off, pat_orig_sz, cd->content, cd->content_len);

     if (fast_pattern_chop_set) {
         off = 0;
         PrintRawUriBuf(pat_chop, &off, pat_chop_sz, cd->content + cd->fp_chop_offset, cd->fp_chop_len);
     }
 }
 #endif

 SCMutex g_rule_dump_write_m = SCMUTEX_INITIALIZER;
 void RulesDumpMatchArray(const DetectEngineThreadCtx *det_ctx,
         const SigGroupHead *sgh, const Packet *p)
 {
     json_t *js = CreateJSONHeader(p, LOG_DIR_PACKET, "inspectedrules");
     if (js == NULL)
         return;
     json_t *ir = json_object();
     if (ir == NULL)
         return;

     json_object_set_new(ir, "rule_group_id", json_integer(sgh->id));
     json_object_set_new(ir, "rule_cnt", json_integer(det_ctx->match_array_cnt));

     json_t *js_array = json_array();
     uint32_t x;
     for (x = 0; x < det_ctx->match_array_cnt; x++)
     {
         const Signature *s = det_ctx->match_array[x];
         if (s == NULL)
             continue;

         json_t *js_sig = json_object();
         if (unlikely(js_sig == NULL))
             continue;
         json_object_set_new(js_sig, "sig_id", json_integer(s->id));
 #if 0
         json_object_set_new(js_sig, "mpm", (s->mpm_sm != NULL) ? json_true() : json_false());

         if (s->mpm_sm != NULL) {
             char orig[256] = "";
             char chop[256] = "";

             DumpFp(s->mpm_sm, orig, sizeof(orig), chop, sizeof(chop));

             json_object_set_new(js_sig, "mpm_buffer", json_string(DetectListToHumanString(SigMatchListSMBelongsTo(s, s->mpm_sm))));
             json_object_set_new(js_sig, "mpm_pattern", json_string(orig));

             if (strlen(chop) > 0) {
                 json_object_set_new(js_sig, "mpm_pattern_chop", json_string(chop));
             }
         }
 #endif
         json_array_append_new(js_array, js_sig);
     }

     json_object_set_new(ir, "rules", js_array);
     json_object_set_new(js, "inspectedrules", ir);

     const char *filename = "packet_inspected_rules.json";
     const char *log_dir = ConfigGetLogDirectory();
     char log_path[PATH_MAX] = "";
     snprintf(log_path, sizeof(log_path), "%s/%s", log_dir, filename);

     MemBuffer *mbuf = NULL;
     mbuf = MemBufferCreateNew(4096);
     BUG_ON(mbuf == NULL);

     OutputJSONMemBufferWrapper wrapper = {
         .buffer = &mbuf,
         .expand_by = 4096,
     };

     int r = json_dump_callback(js, OutputJSONMemBufferCallback, &wrapper,
             JSON_PRESERVE_ORDER|JSON_COMPACT|JSON_ENSURE_ASCII|
             JSON_ESCAPE_SLASH);
     if (r != 0) {
         SCLogWarning(SC_ERR_SOCKET, "unable to serialize JSON object");
     } else {
         MemBufferWriteString(mbuf, "\n");
         SCMutexLock(&g_rule_dump_write_m);
         FILE *fp = fopen(log_path, "a");
         if (fp != NULL) {
             MemBufferPrintToFPAsString(mbuf, fp);
             fclose(fp);
         }
         SCMutexUnlock(&g_rule_dump_write_m);
     }

     MemBufferFree(mbuf);
     json_object_clear(js);
     json_decref(js);
 }
 #endif /* HAVE_LIBJANSSON */
 #endif /* PROFILING */
MemBufferCreateNew
MemBuffer * MemBufferCreateNew(uint32_t size)
Definition: util-buffer.c:32

SCMutex
#define SCMutex
Definition: threads-debug.h:114

detect-content.h

detect-engine-profile.h

MemBufferWriteString
#define MemBufferWriteString(dst,...)
Write a string buffer to the Membuffer dst.
Definition: util-buffer.h:162

BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:267

Signature_::id
uint32_t id
Definition: detect.h:528

DETECT_CONTENT_FAST_PATTERN
#define DETECT_CONTENT_FAST_PATTERN
Definition: detect-content.h:34

unlikely
#define unlikely(expr)
Definition: util-optimize.h:35

SC_ERR_SOCKET
Definition: util-error.h:232

suricata.h

RulesDumpMatchArray
void RulesDumpMatchArray(const DetectEngineThreadCtx *det_ctx, const SigGroupHead *sgh, const Packet *p)

SigGroupHead_
Container for matching data for a signature group.
Definition: detect.h:1298

output-json.h

Signature_
Signature container.
Definition: detect.h:495

SCMutexLock
#define SCMutexLock(mut)
Definition: threads-debug.h:117

SigGroupHead_::id
uint32_t id
Definition: detect.h:1316

SCMutexUnlock
#define SCMutexUnlock(mut)
Definition: threads-debug.h:119

SCMUTEX_INITIALIZER
#define SCMUTEX_INITIALIZER
Definition: threads-debug.h:121

DetectContentData_::fp_chop_len
uint16_t fp_chop_len
Definition: detect-content.h:91

MemBufferPrintToFPAsString
#define MemBufferPrintToFPAsString(mem_buffer, fp)
Write a buffer to the file pointer as a printable char string.
Definition: util-buffer.h:93

suricata-common.h

DetectEngineThreadCtx_::match_array_cnt
SigIntId match_array_cnt
Definition: detect.h:1050

util-print.h

Packet_
Definition: decode.h:405

DetectContentData_::content_len
uint16_t content_len
Definition: detect-content.h:88

SCLogWarning
#define SCLogWarning(err_code,...)
Macro used to log WARNING messages.
Definition: util-debug.h:281

DetectContentData_
Definition: detect-content.h:86

PrintRawUriBuf
void PrintRawUriBuf(char *retbuf, uint32_t *offset, uint32_t retbuflen, uint8_t *buf, uint32_t buflen)
Definition: util-print.c:118

SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:325

ConfigGetLogDirectory
const char * ConfigGetLogDirectory()
Definition: util-conf.c:36

detect-parse.h

DetectContentData_::fp_chop_offset
uint16_t fp_chop_offset
Definition: detect-content.h:93

DetectEngineThreadCtx_::match_array
Signature ** match_array
Definition: detect.h:1045

DetectListToHumanString
const char * DetectListToHumanString(int list)
Definition: detect-parse.c:111

DETECT_CONTENT_FAST_PATTERN_CHOP
#define DETECT_CONTENT_FAST_PATTERN_CHOP
Definition: detect-content.h:36

DetectContentData_::content
uint8_t * content
Definition: detect-content.h:87

DetectEngineThreadCtx_
Definition: detect.h:965

SigMatchListSMBelongsTo
int SigMatchListSMBelongsTo(const Signature *s, const SigMatch *key_sm)
Definition: detect-parse.c:561

DetectContentData_::flags
uint32_t flags
Definition: detect-content.h:97

MemBuffer_
Definition: util-buffer.h:27

SigMatch_
a single match condition for a signature
Definition: detect.h:322

MemBufferFree
void MemBufferFree(MemBuffer *buffer)
Definition: util-buffer.c:82

util-buffer.h

detect.h