suricata
detect-engine-profile.c
Go to the documentation of this file.
1 /* Copyright (C) 2016 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  */
24 
25 #include "suricata-common.h"
26 #include "suricata.h"
27 #include "detect.h"
28 #include "detect-parse.h"
29 #include "detect-content.h"
30 #include "output-json.h"
31 #include "util-buffer.h"
32 #include "util-print.h"
33 #include "detect-engine-profile.h"
34 
35 #ifdef PROFILING
36 #if 0
37 static void DumpFp(const SigMatch *sm, char *pat_orig, uint32_t pat_orig_sz, char *pat_chop, uint32_t pat_chop_sz)
38 {
39  int fast_pattern_chop_set = 0;
40  const DetectContentData *cd = (DetectContentData *)sm->ctx;
41 
42  if (cd->flags & DETECT_CONTENT_FAST_PATTERN) {
43  if (cd->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) {
44  fast_pattern_chop_set = 1;
45  }
46  }
47 
48  uint32_t off = 0;
49  PrintRawUriBuf(pat_orig, &off, pat_orig_sz, cd->content, cd->content_len);
50 
51  if (fast_pattern_chop_set) {
52  off = 0;
53  PrintRawUriBuf(pat_chop, &off, pat_chop_sz, cd->content + cd->fp_chop_offset, cd->fp_chop_len);
54  }
55 }
56 #endif
57 
58 SCMutex g_rule_dump_write_m = SCMUTEX_INITIALIZER;
59 void RulesDumpMatchArray(const DetectEngineThreadCtx *det_ctx,
60  const SigGroupHead *sgh, const Packet *p)
61 {
62  json_t *js = CreateJSONHeader(p, LOG_DIR_PACKET, "inspectedrules");
63  if (js == NULL)
64  return;
65  json_t *ir = json_object();
66  if (ir == NULL)
67  return;
68 
69  json_object_set_new(ir, "rule_group_id", json_integer(sgh->id));
70  json_object_set_new(ir, "rule_cnt", json_integer(det_ctx->match_array_cnt));
71 
72  json_t *js_array = json_array();
73  uint32_t x;
74  for (x = 0; x < det_ctx->match_array_cnt; x++)
75  {
76  const Signature *s = det_ctx->match_array[x];
77  if (s == NULL)
78  continue;
79 
80  json_t *js_sig = json_object();
81  if (unlikely(js_sig == NULL))
82  continue;
83  json_object_set_new(js_sig, "sig_id", json_integer(s->id));
84 #if 0
85  json_object_set_new(js_sig, "mpm", (s->mpm_sm != NULL) ? json_true() : json_false());
86 
87  if (s->mpm_sm != NULL) {
88  char orig[256] = "";
89  char chop[256] = "";
90 
91  DumpFp(s->mpm_sm, orig, sizeof(orig), chop, sizeof(chop));
92 
93  json_object_set_new(js_sig, "mpm_buffer", json_string(DetectListToHumanString(SigMatchListSMBelongsTo(s, s->mpm_sm))));
94  json_object_set_new(js_sig, "mpm_pattern", json_string(orig));
95 
96  if (strlen(chop) > 0) {
97  json_object_set_new(js_sig, "mpm_pattern_chop", json_string(chop));
98  }
99  }
100 #endif
101  json_array_append_new(js_array, js_sig);
102  }
103 
104  json_object_set_new(ir, "rules", js_array);
105  json_object_set_new(js, "inspectedrules", ir);
106 
107  const char *filename = "packet_inspected_rules.json";
108  const char *log_dir = ConfigGetLogDirectory();
109  char log_path[PATH_MAX] = "";
110  snprintf(log_path, sizeof(log_path), "%s/%s", log_dir, filename);
111 
112  MemBuffer *mbuf = NULL;
113  mbuf = MemBufferCreateNew(4096);
114  BUG_ON(mbuf == NULL);
115 
116  OutputJSONMemBufferWrapper wrapper = {
117  .buffer = &mbuf,
118  .expand_by = 4096,
119  };
120 
121  int r = json_dump_callback(js, OutputJSONMemBufferCallback, &wrapper,
122  JSON_PRESERVE_ORDER|JSON_COMPACT|JSON_ENSURE_ASCII|
123  JSON_ESCAPE_SLASH);
124  if (r != 0) {
125  SCLogWarning(SC_ERR_SOCKET, "unable to serialize JSON object");
126  } else {
127  MemBufferWriteString(mbuf, "\n");
128  SCMutexLock(&g_rule_dump_write_m);
129  FILE *fp = fopen(log_path, "a");
130  if (fp != NULL) {
131  MemBufferPrintToFPAsString(mbuf, fp);
132  fclose(fp);
133  }
134  SCMutexUnlock(&g_rule_dump_write_m);
135  }
136 
137  MemBufferFree(mbuf);
138  json_object_clear(js);
139  json_decref(js);
140 }
141 #endif /* PROFILING */
MemBufferCreateNew
MemBuffer * MemBufferCreateNew(uint32_t size)
Definition: util-buffer.c:32
SCMutex
#define SCMutex
Definition: threads-debug.h:114
CreateJSONHeader
json_t * CreateJSONHeader(const Packet *p, enum OutputJsonLogDirection dir, const char *event_type)
Definition: output-json.c:710
detect-content.h
MemBufferWriteString
#define MemBufferWriteString(dst,...)
Write a string buffer to the Membuffer dst.
Definition: util-buffer.h:162
RulesDumpMatchArray
void RulesDumpMatchArray(const DetectEngineThreadCtx *det_ctx, const SigGroupHead *sgh, const Packet *p)
Definition: detect-engine-profile.c:59
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:265
Signature_::id
uint32_t id
Definition: detect.h:555
OutputJSONMemBufferWrapper_::buffer
MemBuffer ** buffer
Definition: output-json.h:48
DETECT_CONTENT_FAST_PATTERN
#define DETECT_CONTENT_FAST_PATTERN
Definition: detect-content.h:34
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
SigGroupHead_
Container for matching data for a signature group.
Definition: detect.h:1336
Signature_
Signature container.
Definition: detect.h:522
SCMutexLock
#define SCMutexLock(mut)
Definition: threads-debug.h:117
SigGroupHead_::id
uint32_t id
Definition: detect.h:1354
SCMutexUnlock
#define SCMutexUnlock(mut)
Definition: threads-debug.h:119
SCMUTEX_INITIALIZER
#define SCMUTEX_INITIALIZER
Definition: threads-debug.h:121
DetectContentData_::fp_chop_len
uint16_t fp_chop_len
Definition: detect-content.h:91
MemBufferPrintToFPAsString
#define MemBufferPrintToFPAsString(mem_buffer, fp)
Write a buffer to the file pointer as a printable char string.
Definition: util-buffer.h:93
DetectEngineThreadCtx_::match_array_cnt
SigIntId match_array_cnt
Definition: detect.h:1088
Packet_
Definition: decode.h:407
DetectContentData_::content_len
uint16_t content_len
Definition: detect-content.h:88
SCLogWarning
#define SCLogWarning(err_code,...)
Macro used to log WARNING messages.
Definition: util-debug.h:281
DetectContentData_
Definition: detect-content.h:86
OutputJSONMemBufferCallback
int OutputJSONMemBufferCallback(const char *str, size_t size, void *data)
Definition: output-json.c:796
PrintRawUriBuf
void PrintRawUriBuf(char *retbuf, uint32_t *offset, uint32_t retbuflen, uint8_t *buf, uint32_t buflen)
Definition: util-print.c:118
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:321
ConfigGetLogDirectory
const char * ConfigGetLogDirectory()
Definition: util-conf.c:36
JSON_ESCAPE_SLASH
#define JSON_ESCAPE_SLASH
Definition: suricata-common.h:241
DetectContentData_::fp_chop_offset
uint16_t fp_chop_offset
Definition: detect-content.h:93
DetectEngineThreadCtx_::match_array
Signature ** match_array
Definition: detect.h:1083
DetectListToHumanString
const char * DetectListToHumanString(int list)
Definition: detect-parse.c:111
OutputJSONMemBufferWrapper_
Definition: output-json.h:47
DETECT_CONTENT_FAST_PATTERN_CHOP
#define DETECT_CONTENT_FAST_PATTERN_CHOP
Definition: detect-content.h:36
g_rule_dump_write_m
SCMutex g_rule_dump_write_m
Definition: detect-engine-profile.c:58
DetectContentData_::content
uint8_t * content
Definition: detect-content.h:87
DetectEngineThreadCtx_
Definition: detect.h:1003
SigMatchListSMBelongsTo
int SigMatchListSMBelongsTo(const Signature *s, const SigMatch *key_sm)
Definition: detect-parse.c:619
DetectContentData_::flags
uint32_t flags
Definition: detect-content.h:97
MemBuffer_
Definition: util-buffer.h:27
SigMatch_
a single match condition for a signature
Definition: detect.h:318
MemBufferFree
void MemBufferFree(MemBuffer *buffer)
Definition: util-buffer.c:82