suricata
detect-engine-profile.c
Go to the documentation of this file.
1 /* Copyright (C) 2016-2021 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  */
24 
25 #include "suricata-common.h"
26 #include "suricata.h"
27 #include "detect.h"
28 #include "detect-parse.h"
29 #include "detect-content.h"
30 #include "output-json.h"
31 #include "util-buffer.h"
32 #include "util-print.h"
33 #include "detect-engine-profile.h"
34 
35 #ifdef PROFILING
37 
39  const Packet *p, const uint64_t tx_id, const uint32_t rule_cnt,
40  const uint32_t pkt_prefilter_cnt)
41 {
42  JsonBuilder *js =
43  CreateEveHeaderWithTxId(p, LOG_DIR_PACKET, "inspectedrules", NULL, tx_id, NULL);
44  if (js == NULL)
45  return;
46 
47  jb_set_string(js, "app_proto", AppProtoToString(p->flow->alproto));
48 
49  jb_open_object(js, "inspectedrules");
50  jb_set_string(js, "inspect_type", "tx");
51  jb_set_uint(js, "rule_group_id", sgh->id);
52  jb_set_uint(js, "rule_cnt", rule_cnt);
53  jb_set_uint(js, "pkt_rule_cnt", pkt_prefilter_cnt);
54  jb_set_uint(js, "non_pf_rule_cnt", det_ctx->non_pf_store_cnt);
55 
56  jb_open_array(js, "rules");
57  for (uint32_t x = 0; x < rule_cnt; x++) {
58  SigIntId iid = det_ctx->tx_candidates[x].id;
59  const Signature *s = det_ctx->de_ctx->sig_array[iid];
60  if (s == NULL)
61  continue;
62  jb_append_uint(js, s->id);
63  }
64  jb_close(js); // close array
65  jb_close(js); // close inspectedrules object
66  jb_close(js); // final close
67 
68  const char *filename = "packet_inspected_rules.json";
69  const char *log_dir = ConfigGetLogDirectory();
70  char log_path[PATH_MAX] = "";
71  snprintf(log_path, sizeof(log_path), "%s/%s", log_dir, filename);
72 
74  FILE *fp = fopen(log_path, "a");
75  if (fp != NULL) {
76  fwrite(jb_ptr(js), jb_len(js), 1, fp);
77  fclose(fp);
78  }
80  jb_free(js);
81 }
82 
84  const SigGroupHead *sgh, const Packet *p)
85 {
86  JsonBuilder *js = CreateEveHeader(p, LOG_DIR_PACKET, "inspectedrules", NULL, NULL);
87  if (js == NULL)
88  return;
89 
90  if (p->flow) {
91  jb_set_string(js, "app_proto", AppProtoToString(p->flow->alproto));
92  }
93 
94  jb_open_object(js, "inspectedrules");
95  jb_set_string(js, "inspect_type", "packet");
96  jb_set_uint(js, "rule_group_id", sgh->id);
97  jb_set_uint(js, "rule_cnt", det_ctx->match_array_cnt);
98  jb_set_uint(js, "non_pf_rule_cnt", det_ctx->non_pf_store_cnt);
99 
100  jb_open_array(js, "rules");
101  for (uint32_t x = 0; x < det_ctx->match_array_cnt; x++) {
102  const Signature *s = det_ctx->match_array[x];
103  if (s == NULL)
104  continue;
105  jb_append_uint(js, s->id);
106 
107  }
108  jb_close(js); // close array
109  jb_close(js); // close inspectedrules object
110  jb_close(js); // final close
111 
112  const char *filename = "packet_inspected_rules.json";
113  const char *log_dir = ConfigGetLogDirectory();
114  char log_path[PATH_MAX] = "";
115  snprintf(log_path, sizeof(log_path), "%s/%s", log_dir, filename);
116 
118  FILE *fp = fopen(log_path, "a");
119  if (fp != NULL) {
120  fwrite(jb_ptr(js), jb_len(js), 1, fp);
121  fclose(fp);
122  }
124  jb_free(js);
125 }
126 #endif /* PROFILING */
RulesDumpTxMatchArray
void RulesDumpTxMatchArray(const DetectEngineThreadCtx *det_ctx, const SigGroupHead *sgh, const Packet *p, const uint64_t tx_id, const uint32_t rule_cnt, const uint32_t pkt_prefilter_cnt)
Definition: detect-engine-profile.c:38
detect-content.h
DetectEngineThreadCtx_::match_array_cnt
SigIntId match_array_cnt
Definition: detect.h:1127
SigGroupHead_
Container for matching data for a signature group.
Definition: detect.h:1399
g_rule_dump_write_m
SCMutex g_rule_dump_write_m
Definition: detect-engine-profile.c:36
AppProtoToString
const char * AppProtoToString(AppProto alproto)
Maps the ALPROTO_*, to its string equivalent.
Definition: app-layer-protos.c:30
RuleMatchCandidateTx::id
SigIntId id
Definition: detect.h:1018
SCMutexLock
#define SCMutexLock(mut)
Definition: threads-debug.h:117
SCMUTEX_INITIALIZER
#define SCMUTEX_INITIALIZER
Definition: threads-debug.h:121
DetectEngineThreadCtx_::tx_candidates
RuleMatchCandidateTx * tx_candidates
Definition: detect.h:1129
DetectEngineThreadCtx_
Definition: detect.h:1034
output-json.h
SCMutexUnlock
#define SCMutexUnlock(mut)
Definition: threads-debug.h:119
CreateEveHeader
JsonBuilder * CreateEveHeader(const Packet *p, enum OutputJsonLogDirection dir, const char *event_type, JsonAddrInfo *addr, OutputJsonCtx *eve_ctx)
Definition: output-json.c:822
util-print.h
detect.h
detect-engine-profile.h
CreateEveHeaderWithTxId
JsonBuilder * CreateEveHeaderWithTxId(const Packet *p, enum OutputJsonLogDirection dir, const char *event_type, JsonAddrInfo *addr, uint64_t tx_id, OutputJsonCtx *eve_ctx)
Definition: output-json.c:905
Packet_
Definition: decode.h:433
RulesDumpMatchArray
void RulesDumpMatchArray(const DetectEngineThreadCtx *det_ctx, const SigGroupHead *sgh, const Packet *p)
Definition: detect-engine-profile.c:83
Packet_::flow
struct Flow_ * flow
Definition: decode.h:470
LOG_DIR_PACKET
@ LOG_DIR_PACKET
Definition: output-json.h:39
suricata-common.h
ConfigGetLogDirectory
const char * ConfigGetLogDirectory()
Definition: util-conf.c:36
DetectEngineThreadCtx_::non_pf_store_cnt
uint32_t non_pf_store_cnt
Definition: detect.h:1133
Signature_::id
uint32_t id
Definition: detect.h:574
detect-parse.h
util-buffer.h
Signature_
Signature container.
Definition: detect.h:540
DetectEngineThreadCtx_::de_ctx
DetectEngineCtx * de_ctx
Definition: detect.h:1166
suricata.h
DetectEngineCtx_::sig_array
Signature ** sig_array
Definition: detect.h:800
SigIntId
#define SigIntId
Definition: suricata-common.h:296
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:460
SCMutex
#define SCMutex
Definition: threads-debug.h:114
SigGroupHead_::id
uint32_t id
Definition: detect.h:1414
DetectEngineThreadCtx_::match_array
Signature ** match_array
Definition: detect.h:1122