suricata
detect-engine-profile.c
Go to the documentation of this file.
1 /* Copyright (C) 2016-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  */
24 
25 #include "suricata-common.h"
26 #include "suricata.h"
27 #include "detect.h"
28 #include "detect-parse.h"
29 #include "detect-content.h"
30 #include "output-json.h"
31 #include "util-buffer.h"
32 #include "util-print.h"
33 #include "detect-engine-profile.h"
34 
35 #ifdef PROFILING
36 SCMutex g_rule_dump_write_m = SCMUTEX_INITIALIZER;
37 
38 void RulesDumpMatchArray(const DetectEngineThreadCtx *det_ctx,
39  const SigGroupHead *sgh, const Packet *p)
40 {
41  JsonBuilder *js = CreateEveHeader(p, LOG_DIR_PACKET, "inspectedrules", NULL);
42  if (js == NULL)
43  return;
44 
45  jb_open_object(js, "inspectedrules");
46  jb_set_uint(js, "rule_group_id", sgh->id);
47  jb_set_uint(js, "rule_cnt", det_ctx->match_array_cnt);
48 
49  jb_open_array(js, "rules");
50  for (uint32_t x = 0; x < det_ctx->match_array_cnt; x++) {
51  const Signature *s = det_ctx->match_array[x];
52  if (s == NULL)
53  continue;
54  jb_append_uint(js, s->id);
55 
56  }
57  jb_close(js); // close array
58  jb_close(js); // close inspectedrules object
59  jb_close(js); // final close
60 
61  const char *filename = "packet_inspected_rules.json";
62  const char *log_dir = ConfigGetLogDirectory();
63  char log_path[PATH_MAX] = "";
64  snprintf(log_path, sizeof(log_path), "%s/%s", log_dir, filename);
65 
66  SCMutexLock(&g_rule_dump_write_m);
67  FILE *fp = fopen(log_path, "a");
68  if (fp != NULL) {
69  fwrite(jb_ptr(js), jb_len(js), 1, fp);
70  fclose(fp);
71  }
72  SCMutexUnlock(&g_rule_dump_write_m);
73  jb_free(js);
74 }
75 #endif /* PROFILING */
detect-content.h
DetectEngineThreadCtx_::match_array_cnt
SigIntId match_array_cnt
Definition: detect.h:1097
SigGroupHead_
Container for matching data for a signature group.
Definition: detect.h:1347
g_rule_dump_write_m
SCMutex g_rule_dump_write_m
Definition: detect-engine-profile.c:36
SCMutexLock
#define SCMutexLock(mut)
Definition: threads-debug.h:117
SCMUTEX_INITIALIZER
#define SCMUTEX_INITIALIZER
Definition: threads-debug.h:121
DetectEngineThreadCtx_
Definition: detect.h:1010
CreateEveHeader
JsonBuilder * CreateEveHeader(const Packet *p, enum OutputJsonLogDirection dir, const char *event_type, JsonAddrInfo *addr)
Definition: output-json.c:846
output-json.h
SCMutexUnlock
#define SCMutexUnlock(mut)
Definition: threads-debug.h:119
util-print.h
detect.h
detect-engine-profile.h
Packet_
Definition: decode.h:414
RulesDumpMatchArray
void RulesDumpMatchArray(const DetectEngineThreadCtx *det_ctx, const SigGroupHead *sgh, const Packet *p)
Definition: detect-engine-profile.c:38
LOG_DIR_PACKET
@ LOG_DIR_PACKET
Definition: output-json.h:39
suricata-common.h
ConfigGetLogDirectory
const char * ConfigGetLogDirectory()
Definition: util-conf.c:35
Signature_::id
uint32_t id
Definition: detect.h:561
detect-parse.h
util-buffer.h
Signature_
Signature container.
Definition: detect.h:528
suricata.h
SCMutex
#define SCMutex
Definition: threads-debug.h:114
SigGroupHead_::id
uint32_t id
Definition: detect.h:1365
DetectEngineThreadCtx_::match_array
Signature ** match_array
Definition: detect.h:1092