suricata
util-flow-rate.c
Go to the documentation of this file.
1 /* Copyright (C) 2025 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Shivani Bhardwaj <shivani@oisf.net>
22  *
23  */
24 
25 #include "suricata-common.h"
26 #include "flow-storage.h"
27 #include "flow-util.h"
28 #include "flow-private.h"
29 #include "util-storage.h"
30 #include "conf.h"
31 #include "util-misc.h"
32 #include "util-byte.h"
33 #include "util-flow-rate.h"
34 #include "util-unittest.h"
35 #include "util-unittest-helper.h"
36 
37 FlowStorageId g_flowrate_storage_id = { .id = -1 };
38 
39 FlowRateConfig flow_rate_config;
40 
41 static void FlowRateStoreFree(void *ptr)
42 {
43  FlowRateStore *frs = (FlowRateStore *)ptr;
44  size_t total_free = 0;
45  if (frs == NULL)
46  return;
47 
48  for (int i = 0; i < 2; i++) {
49  if (frs->dir[i].buf != NULL) {
50  SCFree(frs->dir[i].buf);
51  total_free += (frs->dir[i].size * sizeof(uint64_t));
52  }
53  }
54 
55  SCFree(frs);
56  total_free += sizeof(*frs);
57  (void)SC_ATOMIC_SUB(flow_memuse, total_free);
58 }
59 
60 void FlowRateRegisterFlowStorage(void)
61 {
62  SCConfNode *root = SCConfGetNode("flow");
63  if (root == NULL)
64  return;
65 
66  bool track_flow = false;
67  track_flow = SCConfNodeLookupChild(root, "rate-tracking") != NULL ? true : false;
68  if (!track_flow)
69  return;
70 
71  SCConfNode *node = SCConfGetNode("flow.rate-tracking");
72  const char *val = SCConfNodeLookupChildValue(node, "bytes");
73  if (val == NULL) {
74  FatalError("No value for flow tracking bytes");
75  }
76  uint64_t bytes = 0;
77  if (ParseSizeStringU64(val, &bytes) < 0) {
78  FatalError("Invalid value for flow tracking bytes");
79  }
80  flow_rate_config.bytes = bytes;
81 
82  val = SCConfNodeLookupChildValue(node, "interval");
83  if (val == NULL) {
84  FatalError("No value for flow tracking interval");
85  }
86  SCTime_t interval = SCTIME_INITIALIZER;
87  uint16_t secs = 0;
88  if ((StringParseUint16(&secs, 10, 0, val) < 0) || (secs == 0)) {
89  FatalError("Invalid value for flow tracking interval");
90  }
91  flow_rate_config.interval = SCTIME_ADD_SECS(interval, secs);
92 
93  g_flowrate_storage_id =
94  FlowStorageRegister("flowrate", sizeof(void *), NULL, FlowRateStoreFree);
95 }
96 
97 bool FlowRateStorageEnabled(void)
98 {
99  return (g_flowrate_storage_id.id != -1);
100 }
101 
102 FlowRateStore *FlowRateStoreInit(void)
103 {
104  FlowRateStore *frs = NULL;
105  size_t total_memuse = 0;
106  size_t expected_memuse = (2 * flow_rate_config.interval.secs * sizeof(uint64_t)) + sizeof(*frs);
107 
108  if (!FLOW_CHECK_MEMCAP(expected_memuse)) {
109  return NULL;
110  }
111  frs = SCCalloc(1, sizeof(*frs));
112  if (unlikely(frs == NULL)) {
113  return NULL;
114  }
115 
116  total_memuse += sizeof(*frs);
117  for (int i = 0; i < 2; i++) {
118  frs->dir[i].size = (uint16_t)flow_rate_config.interval.secs;
119  frs->dir[i].buf = SCCalloc(frs->dir[i].size, sizeof(uint64_t));
120  if (unlikely(frs->dir[i].buf == NULL)) {
121  FlowRateStoreFree(frs);
122  return NULL;
123  }
124  frs->dir[i].start_ts = SCTIME_INITIALIZER;
125  frs->dir[i].last_ts = SCTIME_INITIALIZER;
126  total_memuse += (frs->dir[i].size * sizeof(uint64_t));
127  }
128  DEBUG_VALIDATE_BUG_ON(total_memuse != expected_memuse);
129  (void)SC_ATOMIC_ADD(flow_memuse, total_memuse);
130 
131  return frs;
132 }
133 
134 FlowStorageId FlowRateGetStorageID(void)
135 {
136  return g_flowrate_storage_id;
137 }
138 
139 static inline void FlowRateClearSumInRange(
140  FlowRateStore *frs, uint16_t start, uint16_t end, int direction)
141 {
142  for (uint16_t i = start; i <= end; i++) {
143  uint64_t byte_count_at_i = frs->dir[direction].buf[i];
144  frs->dir[direction].buf[i] = 0;
145  DEBUG_VALIDATE_BUG_ON(frs->dir[direction].sum < byte_count_at_i);
146  frs->dir[direction].sum -= byte_count_at_i;
147  }
148 }
149 
150 static inline void FlowRateStoreUpdateCurrentRing(
151  FlowRateStore *frs, SCTime_t p_ts, uint32_t pkt_len, uint16_t idx, int direction)
152 {
153  if (idx > frs->dir[direction].last_idx + 1) {
154  /* Index is not the same as last or the next so, the ring must be flushed for the items
155  * in between and sum updated */
156  FlowRateClearSumInRange(frs, frs->dir[direction].last_idx + 1, idx, direction);
157  frs->dir[direction].buf[idx] += pkt_len;
158  /* Update the total sum */
159  frs->dir[direction].sum += pkt_len;
160  } else if ((idx == frs->dir[direction].last_idx) || (idx == frs->dir[direction].last_idx + 1)) {
161  /* Index matches the last updated index in the ring buffer or is the next index in the
162  * buffer */
163  /* Add to the existing open time interval */
164  frs->dir[direction].buf[idx] += pkt_len;
165  /* Update the total sum */
166  frs->dir[direction].sum += pkt_len;
167  } else {
168  /* Index is revisited after a full round of the buffer */
169  uint64_t prev_byte_count = frs->dir[direction].buf[idx];
170  /* Overwrite the buffer */
171  frs->dir[direction].buf[idx] = pkt_len;
172  DEBUG_VALIDATE_BUG_ON(frs->dir[direction].sum < prev_byte_count);
173  /* Sum should get rid of previous count on the same index */
174  frs->dir[direction].sum += pkt_len - prev_byte_count;
175  frs->dir[direction].start_ts = p_ts;
176  }
177  frs->dir[direction].last_idx = idx;
178 }
179 
180 static inline void FlowRateStoreFlushRing(
181  FlowRateStore *frs, SCTime_t p_ts, uint32_t pkt_len, int direction)
182 {
183  memset(frs->dir[direction].buf, 0, frs->dir[direction].size);
184  frs->dir[direction].last_idx = 0;
185  frs->dir[direction].start_ts = p_ts;
186  frs->dir[direction].buf[0] = pkt_len;
187  /* Overwrite the sum calculated so far */
188  frs->dir[direction].sum = pkt_len;
189 }
190 
191 void FlowRateStoreUpdate(FlowRateStore *frs, SCTime_t p_ts, uint32_t pkt_len, int direction)
192 {
193  if (frs->dir[direction].last_ts.secs == 0) {
194  /* Should only happen when the ring is first used */
195  DEBUG_VALIDATE_BUG_ON(frs->dir[direction].sum > 0);
196  /* Initialize last_ts and start_ts with the first packet's timestamp */
197  frs->dir[direction].last_ts = p_ts;
198  frs->dir[direction].start_ts = p_ts;
199  }
200 
201  SCTime_t start_ts = frs->dir[direction].start_ts;
202  uint16_t idx = (p_ts.secs - start_ts.secs) % frs->dir[direction].size;
203  /* Update start_ts in case of initiating the revisit of buffer */
204  if ((frs->dir[direction].last_idx == frs->dir[direction].size - 1) &&
205  (frs->dir[direction].last_idx != idx)) {
206  start_ts = p_ts;
207  if (idx != 0) {
208  /* Update the sum */
209  FlowRateClearSumInRange(frs, 0, idx, direction);
210  /* Consider current packet a new start of the ring */
211  idx = 0;
212  }
213  }
214  /* If the packet has come in the last open interval of time */
215  if (p_ts.secs - start_ts.secs < frs->dir[direction].size) {
216  FlowRateStoreUpdateCurrentRing(frs, p_ts, pkt_len, idx, direction);
217  } else {
218  /* Packet arrived after one or more rounds of the entire buffer */
219  /* Flush the entire buffer */
220  FlowRateStoreFlushRing(frs, p_ts, pkt_len, direction);
221  }
222  /* In any case, update the last seen timestamp */
223  frs->dir[direction].last_ts = p_ts;
224 }
225 
226 bool FlowRateIsExceeding(FlowRateStore *frs, int direction)
227 {
228  if (frs->dir[direction].sum >= flow_rate_config.bytes) {
229  return true;
230  }
231  return false;
232 }
233 
234 #ifdef UNITTESTS
235 
236 /* Test to check update of the same buffer item */
237 static int FlowRateTest01(void)
238 {
239  SC_ATOMIC_SET(flow_config.memcap, 10000);
240  flow_rate_config.bytes = 100;
241  flow_rate_config.interval = (SCTime_t){ .secs = 10, .usecs = 0 };
242  FlowRateStore *frs = FlowRateStoreInit();
243  FAIL_IF_NULL(frs);
244  for (int i = 0; i < 2; i++) {
245  FAIL_IF(frs->dir[i].size != 10);
246  FAIL_IF(frs->dir[i].sum != 0);
247  }
248  Packet *p1 = UTHBuildPacket((uint8_t *)"blahblah", 8, IPPROTO_TCP);
249  FlowRateStoreUpdate(frs, p1->ts, GET_PKT_LEN(p1), TOSERVER);
250  /* Total length of packet is 48 */
251  FAIL_IF(frs->dir[0].sum != 48);
252  FAIL_IF(frs->dir[0].last_ts.secs != p1->ts.secs);
253  FAIL_IF(frs->dir[0].buf[0] != 48);
254 
255  Packet *p2 = UTHBuildPacket((uint8_t *)"DATA", 4, IPPROTO_TCP);
256  FlowRateStoreUpdate(frs, p2->ts, GET_PKT_LEN(p2), TOSERVER);
257  /* Total length of packet is 44 */
258  FAIL_IF(frs->dir[0].sum != 92);
259  FAIL_IF(frs->dir[0].last_ts.secs != p2->ts.secs);
260  FAIL_IF(frs->dir[0].buf[0] != 92);
261 
262  Packet *p3 = UTHBuildPacket((uint8_t *)"ABababa", 7, IPPROTO_TCP);
263  FlowRateStoreUpdate(frs, p3->ts, GET_PKT_LEN(p3), TOSERVER);
264  /* Total length of packet is 47 */
265  FAIL_IF(frs->dir[0].sum != 139);
266  FAIL_IF(frs->dir[0].last_ts.secs != p3->ts.secs);
267  FAIL_IF(frs->dir[0].buf[0] != 139);
268 
269  FlowRateStoreFree(frs);
270  PASS;
271 }
272 
273 /* Test to check update of all buffer items */
274 static int FlowRateTest02(void)
275 {
276  SC_ATOMIC_SET(flow_config.memcap, 10000);
277  flow_rate_config.bytes = 200;
278  flow_rate_config.interval = (SCTime_t){ .secs = 4, .usecs = 0 };
279  FlowRateStore *frs = FlowRateStoreInit();
280  FAIL_IF_NULL(frs);
281  for (int i = 0; i < 2; i++) {
282  FAIL_IF(frs->dir[i].size != 4);
283  FAIL_IF(frs->dir[i].sum != 0);
284  }
285  Packet *p1 = UTHBuildPacket((uint8_t *)"blahblah", 8, IPPROTO_TCP);
286  FlowRateStoreUpdate(frs, p1->ts, GET_PKT_LEN(p1), TOSERVER);
287  /* Total length of packet is 48 */
288  FAIL_IF(frs->dir[0].sum != 48);
289  FAIL_IF(frs->dir[0].last_ts.secs != p1->ts.secs);
290  FAIL_IF(frs->dir[0].buf[0] != 48);
291 
292  Packet *p2 = UTHBuildPacket((uint8_t *)"DATA", 4, IPPROTO_TCP);
293  p2->ts.secs = p1->ts.secs + 1;
294  FlowRateStoreUpdate(frs, p2->ts, GET_PKT_LEN(p2), TOSERVER);
295  /* Total length of packet is 44 */
296  FAIL_IF(frs->dir[0].sum != 92);
297  FAIL_IF(frs->dir[0].last_ts.secs != p2->ts.secs);
298  FAIL_IF(frs->dir[0].buf[1] != 44);
299 
300  Packet *p3 = UTHBuildPacket((uint8_t *)"ABababa", 7, IPPROTO_TCP);
301  p3->ts.secs = p1->ts.secs + 2;
302  FlowRateStoreUpdate(frs, p3->ts, GET_PKT_LEN(p3), TOSERVER);
303  /* Total length of packet is 47 */
304  FAIL_IF(frs->dir[0].sum != 139);
305  FAIL_IF(frs->dir[0].last_ts.secs != p3->ts.secs);
306  FAIL_IF(frs->dir[0].buf[2] != 47);
307 
308  Packet *p4 = UTHBuildPacket((uint8_t *)"yoohoo", 6, IPPROTO_TCP);
309  p4->ts.secs = p1->ts.secs + 3;
310  FlowRateStoreUpdate(frs, p4->ts, GET_PKT_LEN(p4), TOSERVER);
311  /* Total length of packet is 46 */
312  FAIL_IF(frs->dir[0].sum != 185);
313  FAIL_IF(frs->dir[0].last_ts.secs != p4->ts.secs);
314  FAIL_IF(frs->dir[0].buf[3] != 46);
315 
316  FlowRateStoreFree(frs);
317  PASS;
318 }
319 
320 /* Test to check update of wrapping around ring buffer */
321 static int FlowRateTest03(void)
322 {
323  SC_ATOMIC_SET(flow_config.memcap, 10000);
324  flow_rate_config.bytes = 200;
325  flow_rate_config.interval = (SCTime_t){ .secs = 4, .usecs = 0 };
326  FlowRateStore *frs = FlowRateStoreInit();
327  FAIL_IF_NULL(frs);
328  for (int i = 0; i < 2; i++) {
329  FAIL_IF(frs->dir[i].size != 4);
330  FAIL_IF(frs->dir[i].sum != 0);
331  }
332  Packet *p1 = UTHBuildPacket((uint8_t *)"blahblah", 8, IPPROTO_TCP);
333  FlowRateStoreUpdate(frs, p1->ts, GET_PKT_LEN(p1), TOSERVER);
334  /* Total length of packet is 48 */
335  FAIL_IF(frs->dir[0].sum != 48);
336  FAIL_IF(frs->dir[0].last_ts.secs != p1->ts.secs);
337  FAIL_IF(frs->dir[0].buf[0] != 48);
338  FAIL_IF(frs->dir[0].start_ts.secs != p1->ts.secs);
339 
340  Packet *p2 = UTHBuildPacket((uint8_t *)"DATA", 4, IPPROTO_TCP);
341  p2->ts.secs = p1->ts.secs + 1;
342  FlowRateStoreUpdate(frs, p2->ts, GET_PKT_LEN(p2), TOSERVER);
343  /* Total length of packet is 44 */
344  FAIL_IF(frs->dir[0].sum != 92);
345  FAIL_IF(frs->dir[0].last_ts.secs != p2->ts.secs);
346  FAIL_IF(frs->dir[0].buf[1] != 44);
347  FAIL_IF(frs->dir[0].start_ts.secs != p1->ts.secs);
348 
349  Packet *p3 = UTHBuildPacket((uint8_t *)"ABababa", 7, IPPROTO_TCP);
350  p3->ts.secs = p1->ts.secs + 2;
351  FlowRateStoreUpdate(frs, p3->ts, GET_PKT_LEN(p3), TOSERVER);
352  /* Total length of packet is 47 */
353  FAIL_IF(frs->dir[0].sum != 139);
354  FAIL_IF(frs->dir[0].last_ts.secs != p3->ts.secs);
355  FAIL_IF(frs->dir[0].buf[2] != 47);
356  FAIL_IF(frs->dir[0].start_ts.secs != p1->ts.secs);
357 
358  Packet *p4 = UTHBuildPacket((uint8_t *)"yoohoo", 6, IPPROTO_TCP);
359  p4->ts.secs = p1->ts.secs + 3;
360  FlowRateStoreUpdate(frs, p4->ts, GET_PKT_LEN(p4), TOSERVER);
361  /* Total length of packet is 46 */
362  FAIL_IF(frs->dir[0].sum != 185);
363  FAIL_IF(frs->dir[0].last_ts.secs != p4->ts.secs);
364  FAIL_IF(frs->dir[0].buf[3] != 46);
365  FAIL_IF(frs->dir[0].start_ts.secs != p1->ts.secs);
366 
367  Packet *p5 = UTHBuildPacket((uint8_t *)"nmn", 3, IPPROTO_TCP);
368  p5->ts.secs = p1->ts.secs + 4;
369  FlowRateStoreUpdate(frs, p5->ts, GET_PKT_LEN(p5), TOSERVER);
370  /* Total length of packet is 43 */
371  FAIL_IF(frs->dir[0].sum != 180);
372  FAIL_IF(frs->dir[0].last_ts.secs != p5->ts.secs);
373  FAIL_IF(frs->dir[0].start_ts.secs != p5->ts.secs);
374  FAIL_IF(frs->dir[0].buf[0] != 43);
375 
376  FlowRateStoreFree(frs);
377  PASS;
378 }
379 
380 /* Test to check update of buffer if new pkt comes out of the window */
381 static int FlowRateTest04(void)
382 {
383  SC_ATOMIC_SET(flow_config.memcap, 10000);
384  flow_rate_config.bytes = 200;
385  flow_rate_config.interval = (SCTime_t){ .secs = 4, .usecs = 0 };
386  FlowRateStore *frs = FlowRateStoreInit();
387  FAIL_IF_NULL(frs);
388  for (int i = 0; i < 2; i++) {
389  FAIL_IF(frs->dir[i].size != 4);
390  FAIL_IF(frs->dir[i].sum != 0);
391  }
392  Packet *p1 = UTHBuildPacket((uint8_t *)"blahblah", 8, IPPROTO_TCP);
393  FlowRateStoreUpdate(frs, p1->ts, GET_PKT_LEN(p1), TOSERVER);
394  /* Total length of packet is 48 */
395  FAIL_IF(frs->dir[0].sum != 48);
396  FAIL_IF(frs->dir[0].last_ts.secs != p1->ts.secs);
397  FAIL_IF(frs->dir[0].buf[0] != 48);
398  FAIL_IF(frs->dir[0].start_ts.secs != p1->ts.secs);
399 
400  Packet *p2 = UTHBuildPacket((uint8_t *)"DATA", 4, IPPROTO_TCP);
401  p2->ts.secs = p1->ts.secs + 60;
402  FlowRateStoreUpdate(frs, p2->ts, GET_PKT_LEN(p2), TOSERVER);
403  /* Total length of packet is 44 */
404  FAIL_IF(frs->dir[0].sum != 44);
405  FAIL_IF(frs->dir[0].last_ts.secs != p2->ts.secs);
406  FAIL_IF(frs->dir[0].buf[0] != 44);
407  FAIL_IF(frs->dir[0].start_ts.secs != p2->ts.secs);
408 
409  FlowRateStoreFree(frs);
410  PASS;
411 }
412 
413 /* Test to check update of wrapping around ring buffer when the packet
414  * out of the window but also does not fall on the first index of the ring */
415 static int FlowRateTest05(void)
416 {
417  SC_ATOMIC_SET(flow_config.memcap, 10000);
418  flow_rate_config.bytes = 200;
419  flow_rate_config.interval = (SCTime_t){ .secs = 4, .usecs = 0 };
420  FlowRateStore *frs = FlowRateStoreInit();
421  FAIL_IF_NULL(frs);
422  for (int i = 0; i < 2; i++) {
423  FAIL_IF(frs->dir[i].size != 4);
424  FAIL_IF(frs->dir[i].sum != 0);
425  }
426  Packet *p1 = UTHBuildPacket((uint8_t *)"blahblah", 8, IPPROTO_TCP);
427  FlowRateStoreUpdate(frs, p1->ts, GET_PKT_LEN(p1), TOSERVER);
428  /* Total length of packet is 48 */
429  FAIL_IF(frs->dir[0].sum != 48);
430  FAIL_IF(frs->dir[0].last_ts.secs != p1->ts.secs);
431  FAIL_IF(frs->dir[0].buf[0] != 48);
432  FAIL_IF(frs->dir[0].start_ts.secs != p1->ts.secs);
433 
434  Packet *p2 = UTHBuildPacket((uint8_t *)"DATA", 4, IPPROTO_TCP);
435  p2->ts.secs = p1->ts.secs + 1;
436  FlowRateStoreUpdate(frs, p2->ts, GET_PKT_LEN(p2), TOSERVER);
437  /* Total length of packet is 44 */
438  FAIL_IF(frs->dir[0].sum != 92);
439  FAIL_IF(frs->dir[0].last_ts.secs != p2->ts.secs);
440  FAIL_IF(frs->dir[0].buf[1] != 44);
441  FAIL_IF(frs->dir[0].start_ts.secs != p1->ts.secs);
442 
443  Packet *p3 = UTHBuildPacket((uint8_t *)"ABababa", 7, IPPROTO_TCP);
444  p3->ts.secs = p1->ts.secs + 2;
445  FlowRateStoreUpdate(frs, p3->ts, GET_PKT_LEN(p3), TOSERVER);
446  /* Total length of packet is 47 */
447  FAIL_IF(frs->dir[0].sum != 139);
448  FAIL_IF(frs->dir[0].last_ts.secs != p3->ts.secs);
449  FAIL_IF(frs->dir[0].buf[2] != 47);
450  FAIL_IF(frs->dir[0].start_ts.secs != p1->ts.secs);
451 
452  Packet *p4 = UTHBuildPacket((uint8_t *)"yoohoo", 6, IPPROTO_TCP);
453  p4->ts.secs = p1->ts.secs + 3;
454  FlowRateStoreUpdate(frs, p4->ts, GET_PKT_LEN(p4), TOSERVER);
455  /* Total length of packet is 46 */
456  FAIL_IF(frs->dir[0].sum != 185);
457  FAIL_IF(frs->dir[0].last_ts.secs != p4->ts.secs);
458  FAIL_IF(frs->dir[0].buf[3] != 46);
459  FAIL_IF(frs->dir[0].start_ts.secs != p1->ts.secs);
460 
461  Packet *p5 = UTHBuildPacket((uint8_t *)"nmn", 3, IPPROTO_TCP);
462  p5->ts.secs = p1->ts.secs + 6;
463  FlowRateStoreUpdate(frs, p5->ts, GET_PKT_LEN(p5), TOSERVER);
464  /* Total length of packet is 43 */
465  FAIL_IF(frs->dir[0].sum != 89);
466  FAIL_IF(frs->dir[0].last_ts.secs != p5->ts.secs);
467  FAIL_IF(frs->dir[0].start_ts.secs != p5->ts.secs);
468  FAIL_IF(frs->dir[0].buf[0] != 43);
469 
470  FlowRateStoreFree(frs);
471  PASS;
472 }
473 
474 /* Test to check sum when packet is within the window but is coming after a gap */
475 static int FlowRateTest06(void)
476 {
477  SC_ATOMIC_SET(flow_config.memcap, 10000);
478  flow_rate_config.bytes = 200;
479  flow_rate_config.interval = (SCTime_t){ .secs = 4, .usecs = 0 };
480  FlowRateStore *frs = FlowRateStoreInit();
481  FAIL_IF_NULL(frs);
482  for (int i = 0; i < 2; i++) {
483  FAIL_IF(frs->dir[i].size != 4);
484  FAIL_IF(frs->dir[i].sum != 0);
485  }
486  Packet *p1 = UTHBuildPacket((uint8_t *)"blahblah", 8, IPPROTO_TCP);
487  FlowRateStoreUpdate(frs, p1->ts, GET_PKT_LEN(p1), TOSERVER);
488  /* Total length of packet is 48 */
489  FAIL_IF(frs->dir[0].sum != 48);
490  FAIL_IF(frs->dir[0].last_ts.secs != p1->ts.secs);
491  FAIL_IF(frs->dir[0].buf[0] != 48);
492  FAIL_IF(frs->dir[0].start_ts.secs != p1->ts.secs);
493 
494  Packet *p2 = UTHBuildPacket((uint8_t *)"DATA", 4, IPPROTO_TCP);
495  p2->ts.secs = p1->ts.secs + 1;
496  FlowRateStoreUpdate(frs, p2->ts, GET_PKT_LEN(p2), TOSERVER);
497  /* Total length of packet is 44 */
498  FAIL_IF(frs->dir[0].sum != 92);
499  FAIL_IF(frs->dir[0].last_ts.secs != p2->ts.secs);
500  FAIL_IF(frs->dir[0].buf[1] != 44);
501  FAIL_IF(frs->dir[0].start_ts.secs != p1->ts.secs);
502 
503  Packet *p3 = UTHBuildPacket((uint8_t *)"ABababa", 7, IPPROTO_TCP);
504  p3->ts.secs = p1->ts.secs + 2;
505  FlowRateStoreUpdate(frs, p3->ts, GET_PKT_LEN(p3), TOSERVER);
506  /* Total length of packet is 47 */
507  FAIL_IF(frs->dir[0].sum != 139);
508  FAIL_IF(frs->dir[0].last_ts.secs != p3->ts.secs);
509  FAIL_IF(frs->dir[0].buf[2] != 47);
510  FAIL_IF(frs->dir[0].start_ts.secs != p1->ts.secs);
511 
512  Packet *p4 = UTHBuildPacket((uint8_t *)"yoohoo", 6, IPPROTO_TCP);
513  p4->ts.secs = p1->ts.secs + 3;
514  FlowRateStoreUpdate(frs, p4->ts, GET_PKT_LEN(p4), TOSERVER);
515  /* Total length of packet is 46 */
516  FAIL_IF(frs->dir[0].sum != 185);
517  FAIL_IF(frs->dir[0].last_ts.secs != p4->ts.secs);
518  FAIL_IF(frs->dir[0].buf[3] != 46);
519  FAIL_IF(frs->dir[0].start_ts.secs != p1->ts.secs);
520 
521  Packet *p5 = UTHBuildPacket((uint8_t *)"nmn", 3, IPPROTO_TCP);
522  p5->ts.secs = p1->ts.secs + 4;
523  FlowRateStoreUpdate(frs, p5->ts, GET_PKT_LEN(p5), TOSERVER);
524  /* Total length of packet is 43 */
525  FAIL_IF(frs->dir[0].sum != 180);
526  FAIL_IF(frs->dir[0].last_ts.secs != p5->ts.secs);
527  FAIL_IF(frs->dir[0].start_ts.secs != p5->ts.secs);
528  FAIL_IF(frs->dir[0].buf[0] != 43);
529 
530  Packet *p6 = UTHBuildPacket((uint8_t *)"suricata", 8, IPPROTO_TCP);
531  p6->ts.secs = p1->ts.secs + 7;
532  FlowRateStoreUpdate(frs, p6->ts, GET_PKT_LEN(p6), TOSERVER);
533  /* Total length of packet is 48 */
534  FAIL_IF(frs->dir[0].sum != 91);
535  FAIL_IF(frs->dir[0].last_ts.secs != p6->ts.secs);
536  FAIL_IF(frs->dir[0].start_ts.secs != p5->ts.secs);
537  FAIL_IF(frs->dir[0].buf[0] != 43);
538  FAIL_IF(frs->dir[0].buf[1] != 0);
539  FAIL_IF(frs->dir[0].buf[2] != 0);
540  FAIL_IF(frs->dir[0].buf[3] != 48);
541 
542  FlowRateStoreFree(frs);
543  PASS;
544 }
545 
546 /* Test to check sum when two packets are back to back within the window but are coming after a gap
547  */
548 static int FlowRateTest07(void)
549 {
550  SC_ATOMIC_SET(flow_config.memcap, 10000);
551  flow_rate_config.bytes = 200;
552  flow_rate_config.interval = (SCTime_t){ .secs = 4, .usecs = 0 };
553  FlowRateStore *frs = FlowRateStoreInit();
554  FAIL_IF_NULL(frs);
555  for (int i = 0; i < 2; i++) {
556  FAIL_IF(frs->dir[i].size != 4);
557  FAIL_IF(frs->dir[i].sum != 0);
558  }
559  Packet *p1 = UTHBuildPacket((uint8_t *)"blahblah", 8, IPPROTO_TCP);
560  FlowRateStoreUpdate(frs, p1->ts, GET_PKT_LEN(p1), TOSERVER);
561  /* Total length of packet is 48 */
562  FAIL_IF(frs->dir[0].sum != 48);
563  FAIL_IF(frs->dir[0].last_ts.secs != p1->ts.secs);
564  FAIL_IF(frs->dir[0].buf[0] != 48);
565  FAIL_IF(frs->dir[0].start_ts.secs != p1->ts.secs);
566 
567  Packet *p2 = UTHBuildPacket((uint8_t *)"DATA", 4, IPPROTO_TCP);
568  p2->ts.secs = p1->ts.secs + 1;
569  FlowRateStoreUpdate(frs, p2->ts, GET_PKT_LEN(p2), TOSERVER);
570  /* Total length of packet is 44 */
571  FAIL_IF(frs->dir[0].sum != 92);
572  FAIL_IF(frs->dir[0].last_ts.secs != p2->ts.secs);
573  FAIL_IF(frs->dir[0].buf[1] != 44);
574  FAIL_IF(frs->dir[0].start_ts.secs != p1->ts.secs);
575 
576  Packet *p3 = UTHBuildPacket((uint8_t *)"ABababa", 7, IPPROTO_TCP);
577  p3->ts.secs = p1->ts.secs + 2;
578  FlowRateStoreUpdate(frs, p3->ts, GET_PKT_LEN(p3), TOSERVER);
579  /* Total length of packet is 47 */
580  FAIL_IF(frs->dir[0].sum != 139);
581  FAIL_IF(frs->dir[0].last_ts.secs != p3->ts.secs);
582  FAIL_IF(frs->dir[0].buf[2] != 47);
583  FAIL_IF(frs->dir[0].start_ts.secs != p1->ts.secs);
584 
585  Packet *p4 = UTHBuildPacket((uint8_t *)"yoohoo", 6, IPPROTO_TCP);
586  p4->ts.secs = p1->ts.secs + 3;
587  FlowRateStoreUpdate(frs, p4->ts, GET_PKT_LEN(p4), TOSERVER);
588  /* Total length of packet is 46 */
589  FAIL_IF(frs->dir[0].sum != 185);
590  FAIL_IF(frs->dir[0].last_ts.secs != p4->ts.secs);
591  FAIL_IF(frs->dir[0].buf[3] != 46);
592  FAIL_IF(frs->dir[0].start_ts.secs != p1->ts.secs);
593 
594  Packet *p5 = UTHBuildPacket((uint8_t *)"nmn", 3, IPPROTO_TCP);
595  p5->ts.secs = p1->ts.secs + 5;
596  FlowRateStoreUpdate(frs, p5->ts, GET_PKT_LEN(p5), TOSERVER);
597  /* Total length of packet is 43 */
598  FAIL_IF(frs->dir[0].sum != 136);
599  FAIL_IF(frs->dir[0].last_ts.secs != p5->ts.secs);
600  FAIL_IF(frs->dir[0].start_ts.secs != p5->ts.secs);
601  FAIL_IF(frs->dir[0].buf[0] != 43);
602 
603  Packet *p6 = UTHBuildPacket((uint8_t *)"suricata", 8, IPPROTO_TCP);
604  p6->ts.secs = p1->ts.secs + 8;
605  FlowRateStoreUpdate(frs, p6->ts, GET_PKT_LEN(p6), TOSERVER);
606  /* Total length of packet is 48 */
607  FAIL_IF(frs->dir[0].sum != 91);
608  FAIL_IF(frs->dir[0].last_ts.secs != p6->ts.secs);
609  FAIL_IF(frs->dir[0].start_ts.secs != p5->ts.secs);
610  FAIL_IF(frs->dir[0].buf[0] != 43);
611  FAIL_IF(frs->dir[0].buf[1] != 0);
612  FAIL_IF(frs->dir[0].buf[2] != 0);
613  FAIL_IF(frs->dir[0].buf[3] != 48);
614 
615  FlowRateStoreFree(frs);
616  PASS;
617 }
618 
619 void FlowRateRegisterTests(void)
620 {
621  UtRegisterTest("FlowRateTest01", FlowRateTest01);
622  UtRegisterTest("FlowRateTest02", FlowRateTest02);
623  UtRegisterTest("FlowRateTest03", FlowRateTest03);
624  UtRegisterTest("FlowRateTest04", FlowRateTest04);
625  UtRegisterTest("FlowRateTest05", FlowRateTest05);
626  UtRegisterTest("FlowRateTest06", FlowRateTest06);
627  UtRegisterTest("FlowRateTest07", FlowRateTest07);
628 }
629 #endif
FlowStorageId
Definition: flow-storage.h:31
g_flowrate_storage_id
FlowStorageId g_flowrate_storage_id
Definition: util-flow-rate.c:37
util-byte.h
FlowRateDirStore_::sum
uint64_t sum
Definition: util-flow-rate.h:36
FlowRateRegisterTests
void FlowRateRegisterTests(void)
Definition: util-flow-rate.c:619
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
flow-util.h
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
SC_ATOMIC_SET
#define SC_ATOMIC_SET(name, val)
Set the value for the atomic variable.
Definition: util-atomic.h:386
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
FlowRateDirStore_::start_ts
SCTime_t start_ts
Definition: util-flow-rate.h:42
FlowRateConfig_::interval
SCTime_t interval
Definition: util-flow-rate.h:29
ParseSizeStringU64
int ParseSizeStringU64(const char *size, uint64_t *res)
Definition: util-misc.c:190
flow-private.h
SC_ATOMIC_ADD
#define SC_ATOMIC_ADD(name, val)
add a value to our atomic variable
Definition: util-atomic.h:332
StringParseUint16
int StringParseUint16(uint16_t *res, int base, size_t len, const char *str)
Definition: util-byte.c:337
FlowRateGetStorageID
FlowStorageId FlowRateGetStorageID(void)
Definition: util-flow-rate.c:134
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:359
SCConfNodeLookupChildValue
const char * SCConfNodeLookupChildValue(const SCConfNode *node, const char *name)
Lookup the value of a child configuration node by name.
Definition: conf.c:824
util-unittest.h
util-unittest-helper.h
FLOW_CHECK_MEMCAP
#define FLOW_CHECK_MEMCAP(size)
check if a memory alloc would fit in the memcap
Definition: flow-util.h:134
FlowRateStore_::dir
FlowRateDirStore dir[2]
Definition: util-flow-rate.h:48
FlowRateStoreUpdate
void FlowRateStoreUpdate(FlowRateStore *frs, SCTime_t p_ts, uint32_t pkt_len, int direction)
Definition: util-flow-rate.c:191
util-flow-rate.h
TOSERVER
#define TOSERVER
Definition: flow.h:45
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
Packet_::ts
SCTime_t ts
Definition: decode.h:538
SCTime_t::secs
uint64_t secs
Definition: util-time.h:41
FlowRateRegisterFlowStorage
void FlowRateRegisterFlowStorage(void)
Definition: util-flow-rate.c:60
FlowStorageRegister
FlowStorageId FlowStorageRegister(const char *name, const unsigned int size, void *(*Alloc)(unsigned int), void(*Free)(void *))
Definition: flow-storage.c:66
SC_ATOMIC_SUB
#define SC_ATOMIC_SUB(name, val)
sub a value from our atomic variable
Definition: util-atomic.h:341
Packet_
Definition: decode.h:484
GET_PKT_LEN
#define GET_PKT_LEN(p)
Definition: decode.h:208
flow_rate_config
FlowRateConfig flow_rate_config
Definition: util-flow-rate.c:39
conf.h
SCTime_t
Definition: util-time.h:40
SCConfNodeLookupChild
SCConfNode * SCConfNodeLookupChild(const SCConfNode *node, const char *name)
Lookup a child configuration node by name.
Definition: conf.c:796
flow-storage.h
FlowRateDirStore_::last_idx
uint16_t last_idx
Definition: util-flow-rate.h:38
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
suricata-common.h
FlowRateStoreInit
FlowRateStore * FlowRateStoreInit(void)
Definition: util-flow-rate.c:102
flow_config
FlowConfig flow_config
Definition: flow.c:92
FlowRateIsExceeding
bool FlowRateIsExceeding(FlowRateStore *frs, int direction)
Definition: util-flow-rate.c:226
FatalError
#define FatalError(...)
Definition: util-debug.h:502
FlowRateConfig_::bytes
uint64_t bytes
Definition: util-flow-rate.h:28
SCConfGetNode
SCConfNode * SCConfGetNode(const char *name)
Get a SCConfNode by name.
Definition: conf.c:181
SCFree
#define SCFree(p)
Definition: util-mem.h:61
FlowStorageId::id
int id
Definition: flow-storage.h:32
FlowRateDirStore_::buf
uint64_t * buf
Definition: util-flow-rate.h:34
FlowRateStorageEnabled
bool FlowRateStorageEnabled(void)
Definition: util-flow-rate.c:97
util-misc.h
SCTIME_INITIALIZER
#define SCTIME_INITIALIZER
Definition: util-time.h:51
SCTIME_ADD_SECS
#define SCTIME_ADD_SECS(ts, s)
Definition: util-time.h:64
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
FlowRateDirStore_::size
uint16_t size
Definition: util-flow-rate.h:40
SCConfNode_
Definition: conf.h:32
FlowRateDirStore_::last_ts
SCTime_t last_ts
Definition: util-flow-rate.h:44
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:102
FlowRateStore_
Definition: util-flow-rate.h:47
util-storage.h
FlowRateConfig_
Definition: util-flow-rate.h:27