suricata
detect-engine-profile.c
Go to the documentation of this file.
1 /* Copyright (C) 2016 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  */
24 
25 #include "suricata-common.h"
26 #include "suricata.h"
27 #include "detect.h"
28 #include "detect-parse.h"
29 #include "detect-content.h"
30 #include "output-json.h"
31 #include "util-buffer.h"
32 #include "util-print.h"
33 #include "detect-engine-profile.h"
34 
35 #ifdef PROFILING
36 #ifdef HAVE_LIBJANSSON
37 #if 0
38 static void DumpFp(const SigMatch *sm, char *pat_orig, uint32_t pat_orig_sz, char *pat_chop, uint32_t pat_chop_sz)
39 {
40  int fast_pattern_chop_set = 0;
41  const DetectContentData *cd = (DetectContentData *)sm->ctx;
42 
43  if (cd->flags & DETECT_CONTENT_FAST_PATTERN) {
44  if (cd->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) {
45  fast_pattern_chop_set = 1;
46  }
47  }
48 
49  uint32_t off = 0;
50  PrintRawUriBuf(pat_orig, &off, pat_orig_sz, cd->content, cd->content_len);
51 
52  if (fast_pattern_chop_set) {
53  off = 0;
54  PrintRawUriBuf(pat_chop, &off, pat_chop_sz, cd->content + cd->fp_chop_offset, cd->fp_chop_len);
55  }
56 }
57 #endif
58 
59 SCMutex g_rule_dump_write_m = SCMUTEX_INITIALIZER;
60 void RulesDumpMatchArray(const DetectEngineThreadCtx *det_ctx,
61  const SigGroupHead *sgh, const Packet *p)
62 {
63  json_t *js = CreateJSONHeader(p, LOG_DIR_PACKET, "inspectedrules");
64  if (js == NULL)
65  return;
66  json_t *ir = json_object();
67  if (ir == NULL)
68  return;
69 
70  json_object_set_new(ir, "rule_group_id", json_integer(sgh->id));
71  json_object_set_new(ir, "rule_cnt", json_integer(det_ctx->match_array_cnt));
72 
73  json_t *js_array = json_array();
74  uint32_t x;
75  for (x = 0; x < det_ctx->match_array_cnt; x++)
76  {
77  const Signature *s = det_ctx->match_array[x];
78  if (s == NULL)
79  continue;
80 
81  json_t *js_sig = json_object();
82  if (unlikely(js_sig == NULL))
83  continue;
84  json_object_set_new(js_sig, "sig_id", json_integer(s->id));
85 #if 0
86  json_object_set_new(js_sig, "mpm", (s->mpm_sm != NULL) ? json_true() : json_false());
87 
88  if (s->mpm_sm != NULL) {
89  char orig[256] = "";
90  char chop[256] = "";
91 
92  DumpFp(s->mpm_sm, orig, sizeof(orig), chop, sizeof(chop));
93 
94  json_object_set_new(js_sig, "mpm_buffer", json_string(DetectListToHumanString(SigMatchListSMBelongsTo(s, s->mpm_sm))));
95  json_object_set_new(js_sig, "mpm_pattern", json_string(orig));
96 
97  if (strlen(chop) > 0) {
98  json_object_set_new(js_sig, "mpm_pattern_chop", json_string(chop));
99  }
100  }
101 #endif
102  json_array_append_new(js_array, js_sig);
103  }
104 
105  json_object_set_new(ir, "rules", js_array);
106  json_object_set_new(js, "inspectedrules", ir);
107 
108  const char *filename = "packet_inspected_rules.json";
109  const char *log_dir = ConfigGetLogDirectory();
110  char log_path[PATH_MAX] = "";
111  snprintf(log_path, sizeof(log_path), "%s/%s", log_dir, filename);
112 
113  MemBuffer *mbuf = NULL;
114  mbuf = MemBufferCreateNew(4096);
115  BUG_ON(mbuf == NULL);
116 
117  OutputJSONMemBufferWrapper wrapper = {
118  .buffer = &mbuf,
119  .expand_by = 4096,
120  };
121 
122  int r = json_dump_callback(js, OutputJSONMemBufferCallback, &wrapper,
123  JSON_PRESERVE_ORDER|JSON_COMPACT|JSON_ENSURE_ASCII|
124  JSON_ESCAPE_SLASH);
125  if (r != 0) {
126  SCLogWarning(SC_ERR_SOCKET, "unable to serialize JSON object");
127  } else {
128  MemBufferWriteString(mbuf, "\n");
129  SCMutexLock(&g_rule_dump_write_m);
130  FILE *fp = fopen(log_path, "a");
131  if (fp != NULL) {
132  MemBufferPrintToFPAsString(mbuf, fp);
133  fclose(fp);
134  }
135  SCMutexUnlock(&g_rule_dump_write_m);
136  }
137 
138  MemBufferFree(mbuf);
139  json_object_clear(js);
140  json_decref(js);
141 }
142 #endif /* HAVE_LIBJANSSON */
143 #endif /* PROFILING */
MemBufferCreateNew
MemBuffer * MemBufferCreateNew(uint32_t size)
Definition: util-buffer.c:32
detect-content.h
MemBufferWriteString
#define MemBufferWriteString(dst,...)
Write a string buffer to the Membuffer dst.
Definition: util-buffer.h:162
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:267
Signature_::id
uint32_t id
Definition: detect.h:525
DETECT_CONTENT_FAST_PATTERN
#define DETECT_CONTENT_FAST_PATTERN
Definition: detect-content.h:34
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
RulesDumpMatchArray
void RulesDumpMatchArray(const DetectEngineThreadCtx *det_ctx, const SigGroupHead *sgh, const Packet *p)
SigGroupHead_
Container for matching data for a signature group.
Definition: detect.h:1295
Signature_
Signature container.
Definition: detect.h:492
SigGroupHead_::id
uint32_t id
Definition: detect.h:1313
SCMutexUnlock
#define SCMutexUnlock(mut)
Definition: threads-arch-tile.h:73
DetectContentData_::fp_chop_len
uint16_t fp_chop_len
Definition: detect-content.h:91
MemBufferPrintToFPAsString
#define MemBufferPrintToFPAsString(mem_buffer, fp)
Write a buffer to the file pointer as a printable char string.
Definition: util-buffer.h:93
DetectEngineThreadCtx_::match_array_cnt
SigIntId match_array_cnt
Definition: detect.h:1047
Packet_
Definition: decode.h:406
DetectContentData_::content_len
uint16_t content_len
Definition: detect-content.h:88
SCLogWarning
#define SCLogWarning(err_code,...)
Macro used to log WARNING messages.
Definition: util-debug.h:281
DetectContentData_
Definition: detect-content.h:86
PrintRawUriBuf
void PrintRawUriBuf(char *retbuf, uint32_t *offset, uint32_t retbuflen, uint8_t *buf, uint32_t buflen)
Definition: util-print.c:118
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:327
ConfigGetLogDirectory
const char * ConfigGetLogDirectory()
Definition: util-conf.c:36
SCMutex
#define SCMutex
Definition: threads-arch-tile.h:55
DetectContentData_::fp_chop_offset
uint16_t fp_chop_offset
Definition: detect-content.h:93
SCMutexLock
#define SCMutexLock(mut)
Definition: threads-arch-tile.h:64
DetectEngineThreadCtx_::match_array
Signature ** match_array
Definition: detect.h:1042
DetectListToHumanString
const char * DetectListToHumanString(int list)
Definition: detect-parse.c:111
DETECT_CONTENT_FAST_PATTERN_CHOP
#define DETECT_CONTENT_FAST_PATTERN_CHOP
Definition: detect-content.h:36
DetectContentData_::content
uint8_t * content
Definition: detect-content.h:87
DetectEngineThreadCtx_
Definition: detect.h:962
SigMatchListSMBelongsTo
int SigMatchListSMBelongsTo(const Signature *s, const SigMatch *key_sm)
Definition: detect-parse.c:555
DetectContentData_::flags
uint32_t flags
Definition: detect-content.h:97
MemBuffer_
Definition: util-buffer.h:27
SigMatch_
a single match condition for a signature
Definition: detect.h:324
MemBufferFree
void MemBufferFree(MemBuffer *buffer)
Definition: util-buffer.c:82
SCMUTEX_INITIALIZER
#define SCMUTEX_INITIALIZER
Definition: threads-arch-tile.h:58