suricata
detect-engine-profile.c
Go to the documentation of this file.
1 /* Copyright (C) 2016-2021 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  */
24 
25 #include "suricata-common.h"
26 #include "detect-engine-profile.h"
27 
28 #ifdef PROFILING
29 #include "output-json.h"
30 #include "util-conf.h"
31 
33 
35  const Packet *p, const uint64_t tx_id, const uint32_t rule_cnt,
36  const uint32_t pkt_prefilter_cnt)
37 {
38  JsonBuilder *js =
39  CreateEveHeaderWithTxId(p, LOG_DIR_PACKET, "inspectedrules", NULL, tx_id, NULL);
40  if (js == NULL)
41  return;
42 
43  jb_set_string(js, "app_proto", AppProtoToString(p->flow->alproto));
44 
45  jb_open_object(js, "inspectedrules");
46  jb_set_string(js, "inspect_type", "tx");
47  jb_set_uint(js, "rule_group_id", sgh->id);
48  jb_set_uint(js, "rule_cnt", rule_cnt);
49  jb_set_uint(js, "pkt_rule_cnt", pkt_prefilter_cnt);
50  jb_set_uint(js, "non_pf_rule_cnt", det_ctx->non_pf_store_cnt);
51 
52  jb_open_array(js, "rules");
53  for (uint32_t x = 0; x < rule_cnt; x++) {
54  SigIntId iid = det_ctx->tx_candidates[x].id;
55  const Signature *s = det_ctx->de_ctx->sig_array[iid];
56  if (s == NULL)
57  continue;
58  jb_append_uint(js, s->id);
59  }
60  jb_close(js); // close array
61  jb_close(js); // close inspectedrules object
62  jb_close(js); // final close
63 
64  const char *filename = "packet_inspected_rules.json";
65  const char *log_dir = ConfigGetLogDirectory();
66  char log_path[PATH_MAX] = "";
67  snprintf(log_path, sizeof(log_path), "%s/%s", log_dir, filename);
68 
70  FILE *fp = fopen(log_path, "a");
71  if (fp != NULL) {
72  fwrite(jb_ptr(js), jb_len(js), 1, fp);
73  fclose(fp);
74  }
76  jb_free(js);
77 }
78 
80  const SigGroupHead *sgh, const Packet *p)
81 {
82  JsonBuilder *js = CreateEveHeader(p, LOG_DIR_PACKET, "inspectedrules", NULL, NULL);
83  if (js == NULL)
84  return;
85 
86  if (p->flow) {
87  jb_set_string(js, "app_proto", AppProtoToString(p->flow->alproto));
88  }
89 
90  jb_open_object(js, "inspectedrules");
91  jb_set_string(js, "inspect_type", "packet");
92  jb_set_uint(js, "rule_group_id", sgh->id);
93  jb_set_uint(js, "rule_cnt", det_ctx->match_array_cnt);
94  jb_set_uint(js, "non_pf_rule_cnt", det_ctx->non_pf_store_cnt);
95 
96  jb_open_array(js, "rules");
97  for (uint32_t x = 0; x < det_ctx->match_array_cnt; x++) {
98  const Signature *s = det_ctx->match_array[x];
99  if (s == NULL)
100  continue;
101  jb_append_uint(js, s->id);
102 
103  }
104  jb_close(js); // close array
105  jb_close(js); // close inspectedrules object
106  jb_close(js); // final close
107 
108  const char *filename = "packet_inspected_rules.json";
109  const char *log_dir = ConfigGetLogDirectory();
110  char log_path[PATH_MAX] = "";
111  snprintf(log_path, sizeof(log_path), "%s/%s", log_dir, filename);
112 
114  FILE *fp = fopen(log_path, "a");
115  if (fp != NULL) {
116  fwrite(jb_ptr(js), jb_len(js), 1, fp);
117  fclose(fp);
118  }
120  jb_free(js);
121 }
122 #endif /* PROFILING */
RulesDumpTxMatchArray
void RulesDumpTxMatchArray(const DetectEngineThreadCtx *det_ctx, const SigGroupHead *sgh, const Packet *p, const uint64_t tx_id, const uint32_t rule_cnt, const uint32_t pkt_prefilter_cnt)
Definition: detect-engine-profile.c:34
DetectEngineThreadCtx_::match_array_cnt
SigIntId match_array_cnt
Definition: detect.h:1117
SigGroupHead_
Container for matching data for a signature group.
Definition: detect.h:1392
g_rule_dump_write_m
SCMutex g_rule_dump_write_m
Definition: detect-engine-profile.c:32
AppProtoToString
const char * AppProtoToString(AppProto alproto)
Maps the ALPROTO_*, to its string equivalent.
Definition: app-layer-protos.c:30
RuleMatchCandidateTx::id
SigIntId id
Definition: detect.h:1008
SCMutexLock
#define SCMutexLock(mut)
Definition: threads-debug.h:117
SCMUTEX_INITIALIZER
#define SCMUTEX_INITIALIZER
Definition: threads-debug.h:121
DetectEngineThreadCtx_::tx_candidates
RuleMatchCandidateTx * tx_candidates
Definition: detect.h:1119
DetectEngineThreadCtx_
Definition: detect.h:1024
output-json.h
SCMutexUnlock
#define SCMutexUnlock(mut)
Definition: threads-debug.h:119
CreateEveHeader
JsonBuilder * CreateEveHeader(const Packet *p, enum OutputJsonLogDirection dir, const char *event_type, JsonAddrInfo *addr, OutputJsonCtx *eve_ctx)
Definition: output-json.c:796
detect-engine-profile.h
CreateEveHeaderWithTxId
JsonBuilder * CreateEveHeaderWithTxId(const Packet *p, enum OutputJsonLogDirection dir, const char *event_type, JsonAddrInfo *addr, uint64_t tx_id, OutputJsonCtx *eve_ctx)
Definition: output-json.c:879
Packet_
Definition: decode.h:428
RulesDumpMatchArray
void RulesDumpMatchArray(const DetectEngineThreadCtx *det_ctx, const SigGroupHead *sgh, const Packet *p)
Definition: detect-engine-profile.c:79
util-conf.h
Packet_::flow
struct Flow_ * flow
Definition: decode.h:465
LOG_DIR_PACKET
@ LOG_DIR_PACKET
Definition: output-json.h:39
suricata-common.h
ConfigGetLogDirectory
const char * ConfigGetLogDirectory()
Definition: util-conf.c:37
DetectEngineThreadCtx_::non_pf_store_cnt
uint32_t non_pf_store_cnt
Definition: detect.h:1123
Signature_::id
uint32_t id
Definition: detect.h:573
Signature_
Signature container.
Definition: detect.h:539
DetectEngineThreadCtx_::de_ctx
DetectEngineCtx * de_ctx
Definition: detect.h:1156
DetectEngineCtx_::sig_array
Signature ** sig_array
Definition: detect.h:799
SigIntId
#define SigIntId
Definition: suricata-common.h:304
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:463
SCMutex
#define SCMutex
Definition: threads-debug.h:114
SigGroupHead_::id
uint32_t id
Definition: detect.h:1407
DetectEngineThreadCtx_::match_array
Signature ** match_array
Definition: detect.h:1112