suricata
util-flow-rate.c
Go to the documentation of this file.
1 /* Copyright (C) 2025 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Shivani Bhardwaj <shivani@oisf.net>
22  *
23  */
24 
25 #include "suricata-common.h"
26 #include "flow-storage.h"
27 #include "flow-util.h"
28 #include "flow-private.h"
29 #include "util-storage.h"
30 #include "conf.h"
31 #include "util-misc.h"
32 #include "util-byte.h"
33 #include "util-flow-rate.h"
34 #include "util-unittest.h"
35 #include "util-unittest-helper.h"
36 
37 FlowStorageId g_flowrate_storage_id = { .id = -1 };
38 
39 FlowRateConfig flow_rate_config;
40 
41 static void FlowRateStoreFree(void *ptr)
42 {
43  FlowRateStore *frs = (FlowRateStore *)ptr;
44  size_t total_free = 0;
45  if (frs == NULL)
46  return;
47 
48  for (int i = 0; i < 2; i++) {
49  if (frs->dir[i].buf != NULL) {
50  SCFree(frs->dir[i].buf);
51  total_free += (frs->dir[i].size * sizeof(uint64_t));
52  }
53  }
54 
55  SCFree(frs);
56  total_free += sizeof(*frs);
57  (void)SC_ATOMIC_SUB(flow_memuse, total_free);
58 }
59 
60 void FlowRateRegisterFlowStorage(void)
61 {
62  SCConfNode *root = SCConfGetNode("flow");
63  if (root == NULL)
64  return;
65 
66  bool track_flow = false;
67  track_flow = SCConfNodeLookupChild(root, "rate-tracking") != NULL ? true : false;
68  if (!track_flow)
69  return;
70 
71  SCConfNode *node = SCConfGetNode("flow.rate-tracking");
72  const char *val = SCConfNodeLookupChildValue(node, "bytes");
73  if (val == NULL) {
74  FatalError("No value for flow tracking bytes");
75  }
76  uint64_t bytes = 0;
77  if (ParseSizeStringU64(val, &bytes) < 0) {
78  FatalError("Invalid value for flow tracking bytes");
79  }
80  flow_rate_config.bytes = bytes;
81 
82  val = SCConfNodeLookupChildValue(node, "interval");
83  if (val == NULL) {
84  FatalError("No value for flow tracking interval");
85  }
86  SCTime_t interval = SCTIME_INITIALIZER;
87  uint16_t secs = 0;
88  if ((StringParseUint16(&secs, 10, 0, val) < 0) || (secs == 0)) {
89  FatalError("Invalid value for flow tracking interval");
90  }
91  flow_rate_config.interval = SCTIME_ADD_SECS(interval, secs);
92 
93  g_flowrate_storage_id =
94  FlowStorageRegister("flowrate", sizeof(void *), NULL, FlowRateStoreFree);
95 }
96 
97 bool FlowRateStorageEnabled(void)
98 {
99  return (g_flowrate_storage_id.id != -1);
100 }
101 
102 FlowRateStore *FlowRateStoreInit(void)
103 {
104  FlowRateStore *frs = NULL;
105  size_t total_memuse = 0;
106  size_t expected_memuse = (2 * flow_rate_config.interval.secs * sizeof(uint64_t)) + sizeof(*frs);
107 
108  if (!FLOW_CHECK_MEMCAP(expected_memuse)) {
109  return NULL;
110  }
111  frs = SCCalloc(1, sizeof(*frs));
112  if (unlikely(frs == NULL)) {
113  return NULL;
114  }
115 
116  total_memuse += sizeof(*frs);
117  for (int i = 0; i < 2; i++) {
118  frs->dir[i].size = (uint16_t)flow_rate_config.interval.secs;
119  frs->dir[i].buf = SCCalloc(frs->dir[i].size, sizeof(uint64_t));
120  if (unlikely(frs->dir[i].buf == NULL)) {
121  FlowRateStoreFree(frs);
122  return NULL;
123  }
124  frs->dir[i].start_ts = SCTIME_INITIALIZER;
125  frs->dir[i].last_ts = SCTIME_INITIALIZER;
126  total_memuse += (frs->dir[i].size * sizeof(uint64_t));
127  }
128  DEBUG_VALIDATE_BUG_ON(total_memuse != expected_memuse);
129  (void)SC_ATOMIC_ADD(flow_memuse, total_memuse);
130 
131  return frs;
132 }
133 
134 FlowStorageId FlowRateGetStorageID(void)
135 {
136  return g_flowrate_storage_id;
137 }
138 
139 static inline void FlowRateClearSumInRange(
140  FlowRateStore *frs, uint16_t start, uint16_t end, int direction)
141 {
142  for (uint16_t i = start; i <= end; i++) {
143  uint64_t byte_count_at_i = frs->dir[direction].buf[i];
144  frs->dir[direction].buf[i] = 0;
145  DEBUG_VALIDATE_BUG_ON(frs->dir[direction].sum < byte_count_at_i);
146  frs->dir[direction].sum -= byte_count_at_i;
147  }
148 }
149 
150 static inline void FlowRateStoreUpdateCurrentRing(
151  FlowRateStore *frs, SCTime_t p_ts, uint32_t pkt_len, uint16_t idx, int direction)
152 {
153  if (idx > frs->dir[direction].last_idx + 1) {
154  /* Index is not the same as last or the next so, the ring must be flushed for the items
155  * in between and sum updated */
156  FlowRateClearSumInRange(frs, frs->dir[direction].last_idx + 1, idx, direction);
157  frs->dir[direction].buf[idx] += pkt_len;
158  /* Update the total sum */
159  frs->dir[direction].sum += pkt_len;
160  } else if (idx == frs->dir[direction].last_idx) {
161  /* Index matches the last updated index in the ring buffer */
162  /* Add to the existing open time interval */
163  frs->dir[direction].buf[idx] += pkt_len;
164  /* Update the total sum */
165  frs->dir[direction].sum += pkt_len;
166  } else {
167  /* Index is revisited after a full round of the buffer */
168  uint64_t prev_byte_count = frs->dir[direction].buf[idx];
169  /* Overwrite the buffer */
170  frs->dir[direction].buf[idx] = pkt_len;
171  DEBUG_VALIDATE_BUG_ON(frs->dir[direction].sum < prev_byte_count);
172  /* Sum should get rid of previous count on the same index */
173  frs->dir[direction].sum += pkt_len - prev_byte_count;
174  if (idx != frs->dir[direction].last_idx + 1) {
175  /* Revisited index but not the next to last, so, reset start_ts */
176  frs->dir[direction].start_ts = p_ts;
177  }
178  }
179  frs->dir[direction].last_idx = idx;
180 }
181 
182 static inline void FlowRateStoreFlushRing(
183  FlowRateStore *frs, SCTime_t p_ts, uint32_t pkt_len, int direction)
184 {
185  memset(frs->dir[direction].buf, 0, frs->dir[direction].size);
186  frs->dir[direction].last_idx = 0;
187  frs->dir[direction].start_ts = p_ts;
188  frs->dir[direction].buf[0] = pkt_len;
189  /* Overwrite the sum calculated so far */
190  frs->dir[direction].sum = pkt_len;
191 }
192 
193 void FlowRateStoreUpdate(FlowRateStore *frs, SCTime_t p_ts, uint32_t pkt_len, int direction)
194 {
195  if (frs->dir[direction].last_ts.secs == 0) {
196  /* Should only happen when the ring is first used */
197  DEBUG_VALIDATE_BUG_ON(frs->dir[direction].sum > 0);
198  /* Initialize last_ts and start_ts with the first packet's timestamp */
199  frs->dir[direction].last_ts = p_ts;
200  frs->dir[direction].start_ts = p_ts;
201  }
202 
203  SCTime_t start_ts = frs->dir[direction].start_ts;
204  uint16_t idx = (p_ts.secs - start_ts.secs) % frs->dir[direction].size;
205  /* Update start_ts in case of initiating the revisit of buffer */
206  if ((frs->dir[direction].last_idx == frs->dir[direction].size - 1) &&
207  (frs->dir[direction].last_idx != idx)) {
208  start_ts = p_ts;
209  if (idx != 0) {
210  /* Update the sum */
211  FlowRateClearSumInRange(frs, 0, idx, direction);
212  /* Consider current packet a new start of the ring */
213  idx = 0;
214  }
215  }
216  /* If the packet has come in the last open interval of time */
217  if (p_ts.secs - start_ts.secs < frs->dir[direction].size) {
218  FlowRateStoreUpdateCurrentRing(frs, p_ts, pkt_len, idx, direction);
219  } else {
220  /* Packet arrived after one or more rounds of the entire buffer */
221  /* Flush the entire buffer */
222  FlowRateStoreFlushRing(frs, p_ts, pkt_len, direction);
223  }
224  /* In any case, update the last seen timestamp */
225  frs->dir[direction].last_ts = p_ts;
226 }
227 
228 bool FlowRateIsExceeding(FlowRateStore *frs, int direction)
229 {
230  if (frs->dir[direction].sum >= flow_rate_config.bytes) {
231  return true;
232  }
233  return false;
234 }
235 
236 #ifdef UNITTESTS
237 
238 /* Test to check update of the same buffer item */
239 static int FlowRateTest01(void)
240 {
241  SC_ATOMIC_SET(flow_config.memcap, 10000);
242  flow_rate_config.bytes = 100;
243  flow_rate_config.interval = (SCTime_t){ .secs = 10, .usecs = 0 };
244  FlowRateStore *frs = FlowRateStoreInit();
245  FAIL_IF_NULL(frs);
246  for (int i = 0; i < 2; i++) {
247  FAIL_IF(frs->dir[i].size != 10);
248  FAIL_IF(frs->dir[i].sum != 0);
249  }
250  Packet *p1 = UTHBuildPacket((uint8_t *)"blahblah", 8, IPPROTO_TCP);
251  FlowRateStoreUpdate(frs, p1->ts, GET_PKT_LEN(p1), TOSERVER);
252  /* Total length of packet is 48 */
253  FAIL_IF(frs->dir[0].sum != 48);
254  FAIL_IF(frs->dir[0].last_ts.secs != p1->ts.secs);
255  FAIL_IF(frs->dir[0].buf[0] != 48);
256 
257  Packet *p2 = UTHBuildPacket((uint8_t *)"DATA", 4, IPPROTO_TCP);
258  FlowRateStoreUpdate(frs, p2->ts, GET_PKT_LEN(p2), TOSERVER);
259  /* Total length of packet is 44 */
260  FAIL_IF(frs->dir[0].sum != 92);
261  FAIL_IF(frs->dir[0].last_ts.secs != p2->ts.secs);
262  FAIL_IF(frs->dir[0].buf[0] != 92);
263 
264  Packet *p3 = UTHBuildPacket((uint8_t *)"ABababa", 7, IPPROTO_TCP);
265  FlowRateStoreUpdate(frs, p3->ts, GET_PKT_LEN(p3), TOSERVER);
266  /* Total length of packet is 47 */
267  FAIL_IF(frs->dir[0].sum != 139);
268  FAIL_IF(frs->dir[0].last_ts.secs != p3->ts.secs);
269  FAIL_IF(frs->dir[0].buf[0] != 139);
270 
271  FlowRateStoreFree(frs);
272  PASS;
273 }
274 
275 /* Test to check update of all buffer items */
276 static int FlowRateTest02(void)
277 {
278  SC_ATOMIC_SET(flow_config.memcap, 10000);
279  flow_rate_config.bytes = 200;
280  flow_rate_config.interval = (SCTime_t){ .secs = 4, .usecs = 0 };
281  FlowRateStore *frs = FlowRateStoreInit();
282  FAIL_IF_NULL(frs);
283  for (int i = 0; i < 2; i++) {
284  FAIL_IF(frs->dir[i].size != 4);
285  FAIL_IF(frs->dir[i].sum != 0);
286  }
287  Packet *p1 = UTHBuildPacket((uint8_t *)"blahblah", 8, IPPROTO_TCP);
288  FlowRateStoreUpdate(frs, p1->ts, GET_PKT_LEN(p1), TOSERVER);
289  /* Total length of packet is 48 */
290  FAIL_IF(frs->dir[0].sum != 48);
291  FAIL_IF(frs->dir[0].last_ts.secs != p1->ts.secs);
292  FAIL_IF(frs->dir[0].buf[0] != 48);
293 
294  Packet *p2 = UTHBuildPacket((uint8_t *)"DATA", 4, IPPROTO_TCP);
295  p2->ts.secs = p1->ts.secs + 1;
296  FlowRateStoreUpdate(frs, p2->ts, GET_PKT_LEN(p2), TOSERVER);
297  /* Total length of packet is 44 */
298  FAIL_IF(frs->dir[0].sum != 92);
299  FAIL_IF(frs->dir[0].last_ts.secs != p2->ts.secs);
300  FAIL_IF(frs->dir[0].buf[1] != 44);
301 
302  Packet *p3 = UTHBuildPacket((uint8_t *)"ABababa", 7, IPPROTO_TCP);
303  p3->ts.secs = p1->ts.secs + 2;
304  FlowRateStoreUpdate(frs, p3->ts, GET_PKT_LEN(p3), TOSERVER);
305  /* Total length of packet is 47 */
306  FAIL_IF(frs->dir[0].sum != 139);
307  FAIL_IF(frs->dir[0].last_ts.secs != p3->ts.secs);
308  FAIL_IF(frs->dir[0].buf[2] != 47);
309 
310  Packet *p4 = UTHBuildPacket((uint8_t *)"yoohoo", 6, IPPROTO_TCP);
311  p4->ts.secs = p1->ts.secs + 3;
312  FlowRateStoreUpdate(frs, p4->ts, GET_PKT_LEN(p4), TOSERVER);
313  /* Total length of packet is 46 */
314  FAIL_IF(frs->dir[0].sum != 185);
315  FAIL_IF(frs->dir[0].last_ts.secs != p4->ts.secs);
316  FAIL_IF(frs->dir[0].buf[3] != 46);
317 
318  FlowRateStoreFree(frs);
319  PASS;
320 }
321 
322 /* Test to check update of wrapping around ring buffer */
323 static int FlowRateTest03(void)
324 {
325  SC_ATOMIC_SET(flow_config.memcap, 10000);
326  flow_rate_config.bytes = 200;
327  flow_rate_config.interval = (SCTime_t){ .secs = 4, .usecs = 0 };
328  FlowRateStore *frs = FlowRateStoreInit();
329  FAIL_IF_NULL(frs);
330  for (int i = 0; i < 2; i++) {
331  FAIL_IF(frs->dir[i].size != 4);
332  FAIL_IF(frs->dir[i].sum != 0);
333  }
334  Packet *p1 = UTHBuildPacket((uint8_t *)"blahblah", 8, IPPROTO_TCP);
335  FlowRateStoreUpdate(frs, p1->ts, GET_PKT_LEN(p1), TOSERVER);
336  /* Total length of packet is 48 */
337  FAIL_IF(frs->dir[0].sum != 48);
338  FAIL_IF(frs->dir[0].last_ts.secs != p1->ts.secs);
339  FAIL_IF(frs->dir[0].buf[0] != 48);
340  FAIL_IF(frs->dir[0].start_ts.secs != p1->ts.secs);
341 
342  Packet *p2 = UTHBuildPacket((uint8_t *)"DATA", 4, IPPROTO_TCP);
343  p2->ts.secs = p1->ts.secs + 1;
344  FlowRateStoreUpdate(frs, p2->ts, GET_PKT_LEN(p2), TOSERVER);
345  /* Total length of packet is 44 */
346  FAIL_IF(frs->dir[0].sum != 92);
347  FAIL_IF(frs->dir[0].last_ts.secs != p2->ts.secs);
348  FAIL_IF(frs->dir[0].buf[1] != 44);
349  FAIL_IF(frs->dir[0].start_ts.secs != p1->ts.secs);
350 
351  Packet *p3 = UTHBuildPacket((uint8_t *)"ABababa", 7, IPPROTO_TCP);
352  p3->ts.secs = p1->ts.secs + 2;
353  FlowRateStoreUpdate(frs, p3->ts, GET_PKT_LEN(p3), TOSERVER);
354  /* Total length of packet is 47 */
355  FAIL_IF(frs->dir[0].sum != 139);
356  FAIL_IF(frs->dir[0].last_ts.secs != p3->ts.secs);
357  FAIL_IF(frs->dir[0].buf[2] != 47);
358  FAIL_IF(frs->dir[0].start_ts.secs != p1->ts.secs);
359 
360  Packet *p4 = UTHBuildPacket((uint8_t *)"yoohoo", 6, IPPROTO_TCP);
361  p4->ts.secs = p1->ts.secs + 3;
362  FlowRateStoreUpdate(frs, p4->ts, GET_PKT_LEN(p4), TOSERVER);
363  /* Total length of packet is 46 */
364  FAIL_IF(frs->dir[0].sum != 185);
365  FAIL_IF(frs->dir[0].last_ts.secs != p4->ts.secs);
366  FAIL_IF(frs->dir[0].buf[3] != 46);
367  FAIL_IF(frs->dir[0].start_ts.secs != p1->ts.secs);
368 
369  Packet *p5 = UTHBuildPacket((uint8_t *)"nmn", 3, IPPROTO_TCP);
370  p5->ts.secs = p1->ts.secs + 4;
371  FlowRateStoreUpdate(frs, p5->ts, GET_PKT_LEN(p5), TOSERVER);
372  /* Total length of packet is 43 */
373  FAIL_IF(frs->dir[0].sum != 180);
374  FAIL_IF(frs->dir[0].last_ts.secs != p5->ts.secs);
375  FAIL_IF(frs->dir[0].start_ts.secs != p5->ts.secs);
376  FAIL_IF(frs->dir[0].buf[0] != 43);
377 
378  Packet *p6 = UTHBuildPacket((uint8_t *)"meerkat", 7, IPPROTO_TCP);
379  p6->ts.secs = p1->ts.secs + 5;
380  FlowRateStoreUpdate(frs, p6->ts, GET_PKT_LEN(p6), TOSERVER);
381  /* Total length of packet is 47 */
382  FAIL_IF(frs->dir[0].sum != 183);
383  FAIL_IF(frs->dir[0].last_ts.secs != p6->ts.secs);
384  FAIL_IF(frs->dir[0].start_ts.secs != p5->ts.secs);
385  FAIL_IF(frs->dir[0].buf[1] != 47);
386 
387  FlowRateStoreFree(frs);
388  PASS;
389 }
390 
391 /* Test to check update of buffer if new pkt comes out of the window */
392 static int FlowRateTest04(void)
393 {
394  SC_ATOMIC_SET(flow_config.memcap, 10000);
395  flow_rate_config.bytes = 200;
396  flow_rate_config.interval = (SCTime_t){ .secs = 4, .usecs = 0 };
397  FlowRateStore *frs = FlowRateStoreInit();
398  FAIL_IF_NULL(frs);
399  for (int i = 0; i < 2; i++) {
400  FAIL_IF(frs->dir[i].size != 4);
401  FAIL_IF(frs->dir[i].sum != 0);
402  }
403  Packet *p1 = UTHBuildPacket((uint8_t *)"blahblah", 8, IPPROTO_TCP);
404  FlowRateStoreUpdate(frs, p1->ts, GET_PKT_LEN(p1), TOSERVER);
405  /* Total length of packet is 48 */
406  FAIL_IF(frs->dir[0].sum != 48);
407  FAIL_IF(frs->dir[0].last_ts.secs != p1->ts.secs);
408  FAIL_IF(frs->dir[0].buf[0] != 48);
409  FAIL_IF(frs->dir[0].start_ts.secs != p1->ts.secs);
410 
411  Packet *p2 = UTHBuildPacket((uint8_t *)"DATA", 4, IPPROTO_TCP);
412  p2->ts.secs = p1->ts.secs + 60;
413  FlowRateStoreUpdate(frs, p2->ts, GET_PKT_LEN(p2), TOSERVER);
414  /* Total length of packet is 44 */
415  FAIL_IF(frs->dir[0].sum != 44);
416  FAIL_IF(frs->dir[0].last_ts.secs != p2->ts.secs);
417  FAIL_IF(frs->dir[0].buf[0] != 44);
418  FAIL_IF(frs->dir[0].start_ts.secs != p2->ts.secs);
419 
420  FlowRateStoreFree(frs);
421  PASS;
422 }
423 
424 /* Test to check update of wrapping around ring buffer when the packet
425  * out of the window but also does not fall on the first index of the ring */
426 static int FlowRateTest05(void)
427 {
428  SC_ATOMIC_SET(flow_config.memcap, 10000);
429  flow_rate_config.bytes = 200;
430  flow_rate_config.interval = (SCTime_t){ .secs = 4, .usecs = 0 };
431  FlowRateStore *frs = FlowRateStoreInit();
432  FAIL_IF_NULL(frs);
433  for (int i = 0; i < 2; i++) {
434  FAIL_IF(frs->dir[i].size != 4);
435  FAIL_IF(frs->dir[i].sum != 0);
436  }
437  Packet *p1 = UTHBuildPacket((uint8_t *)"blahblah", 8, IPPROTO_TCP);
438  FlowRateStoreUpdate(frs, p1->ts, GET_PKT_LEN(p1), TOSERVER);
439  /* Total length of packet is 48 */
440  FAIL_IF(frs->dir[0].sum != 48);
441  FAIL_IF(frs->dir[0].last_ts.secs != p1->ts.secs);
442  FAIL_IF(frs->dir[0].buf[0] != 48);
443  FAIL_IF(frs->dir[0].start_ts.secs != p1->ts.secs);
444 
445  Packet *p2 = UTHBuildPacket((uint8_t *)"DATA", 4, IPPROTO_TCP);
446  p2->ts.secs = p1->ts.secs + 1;
447  FlowRateStoreUpdate(frs, p2->ts, GET_PKT_LEN(p2), TOSERVER);
448  /* Total length of packet is 44 */
449  FAIL_IF(frs->dir[0].sum != 92);
450  FAIL_IF(frs->dir[0].last_ts.secs != p2->ts.secs);
451  FAIL_IF(frs->dir[0].buf[1] != 44);
452  FAIL_IF(frs->dir[0].start_ts.secs != p1->ts.secs);
453 
454  Packet *p3 = UTHBuildPacket((uint8_t *)"ABababa", 7, IPPROTO_TCP);
455  p3->ts.secs = p1->ts.secs + 2;
456  FlowRateStoreUpdate(frs, p3->ts, GET_PKT_LEN(p3), TOSERVER);
457  /* Total length of packet is 47 */
458  FAIL_IF(frs->dir[0].sum != 139);
459  FAIL_IF(frs->dir[0].last_ts.secs != p3->ts.secs);
460  FAIL_IF(frs->dir[0].buf[2] != 47);
461  FAIL_IF(frs->dir[0].start_ts.secs != p1->ts.secs);
462 
463  Packet *p4 = UTHBuildPacket((uint8_t *)"yoohoo", 6, IPPROTO_TCP);
464  p4->ts.secs = p1->ts.secs + 3;
465  FlowRateStoreUpdate(frs, p4->ts, GET_PKT_LEN(p4), TOSERVER);
466  /* Total length of packet is 46 */
467  FAIL_IF(frs->dir[0].sum != 185);
468  FAIL_IF(frs->dir[0].last_ts.secs != p4->ts.secs);
469  FAIL_IF(frs->dir[0].buf[3] != 46);
470  FAIL_IF(frs->dir[0].start_ts.secs != p1->ts.secs);
471 
472  Packet *p5 = UTHBuildPacket((uint8_t *)"nmn", 3, IPPROTO_TCP);
473  p5->ts.secs = p1->ts.secs + 6;
474  FlowRateStoreUpdate(frs, p5->ts, GET_PKT_LEN(p5), TOSERVER);
475  /* Total length of packet is 43 */
476  FAIL_IF(frs->dir[0].sum != 89);
477  FAIL_IF(frs->dir[0].last_ts.secs != p5->ts.secs);
478  FAIL_IF(frs->dir[0].start_ts.secs != p5->ts.secs);
479  FAIL_IF(frs->dir[0].buf[0] != 43);
480 
481  FlowRateStoreFree(frs);
482  PASS;
483 }
484 
485 /* Test to check sum when packet is within the window but is coming after a gap */
486 static int FlowRateTest06(void)
487 {
488  SC_ATOMIC_SET(flow_config.memcap, 10000);
489  flow_rate_config.bytes = 200;
490  flow_rate_config.interval = (SCTime_t){ .secs = 4, .usecs = 0 };
491  FlowRateStore *frs = FlowRateStoreInit();
492  FAIL_IF_NULL(frs);
493  for (int i = 0; i < 2; i++) {
494  FAIL_IF(frs->dir[i].size != 4);
495  FAIL_IF(frs->dir[i].sum != 0);
496  }
497  Packet *p1 = UTHBuildPacket((uint8_t *)"blahblah", 8, IPPROTO_TCP);
498  FlowRateStoreUpdate(frs, p1->ts, GET_PKT_LEN(p1), TOSERVER);
499  /* Total length of packet is 48 */
500  FAIL_IF(frs->dir[0].sum != 48);
501  FAIL_IF(frs->dir[0].last_ts.secs != p1->ts.secs);
502  FAIL_IF(frs->dir[0].buf[0] != 48);
503  FAIL_IF(frs->dir[0].start_ts.secs != p1->ts.secs);
504 
505  Packet *p2 = UTHBuildPacket((uint8_t *)"DATA", 4, IPPROTO_TCP);
506  p2->ts.secs = p1->ts.secs + 1;
507  FlowRateStoreUpdate(frs, p2->ts, GET_PKT_LEN(p2), TOSERVER);
508  /* Total length of packet is 44 */
509  FAIL_IF(frs->dir[0].sum != 92);
510  FAIL_IF(frs->dir[0].last_ts.secs != p2->ts.secs);
511  FAIL_IF(frs->dir[0].buf[1] != 44);
512  FAIL_IF(frs->dir[0].start_ts.secs != p1->ts.secs);
513 
514  Packet *p3 = UTHBuildPacket((uint8_t *)"ABababa", 7, IPPROTO_TCP);
515  p3->ts.secs = p1->ts.secs + 2;
516  FlowRateStoreUpdate(frs, p3->ts, GET_PKT_LEN(p3), TOSERVER);
517  /* Total length of packet is 47 */
518  FAIL_IF(frs->dir[0].sum != 139);
519  FAIL_IF(frs->dir[0].last_ts.secs != p3->ts.secs);
520  FAIL_IF(frs->dir[0].buf[2] != 47);
521  FAIL_IF(frs->dir[0].start_ts.secs != p1->ts.secs);
522 
523  Packet *p4 = UTHBuildPacket((uint8_t *)"yoohoo", 6, IPPROTO_TCP);
524  p4->ts.secs = p1->ts.secs + 3;
525  FlowRateStoreUpdate(frs, p4->ts, GET_PKT_LEN(p4), TOSERVER);
526  /* Total length of packet is 46 */
527  FAIL_IF(frs->dir[0].sum != 185);
528  FAIL_IF(frs->dir[0].last_ts.secs != p4->ts.secs);
529  FAIL_IF(frs->dir[0].buf[3] != 46);
530  FAIL_IF(frs->dir[0].start_ts.secs != p1->ts.secs);
531 
532  Packet *p5 = UTHBuildPacket((uint8_t *)"nmn", 3, IPPROTO_TCP);
533  p5->ts.secs = p1->ts.secs + 4;
534  FlowRateStoreUpdate(frs, p5->ts, GET_PKT_LEN(p5), TOSERVER);
535  /* Total length of packet is 43 */
536  FAIL_IF(frs->dir[0].sum != 180);
537  FAIL_IF(frs->dir[0].last_ts.secs != p5->ts.secs);
538  FAIL_IF(frs->dir[0].start_ts.secs != p5->ts.secs);
539  FAIL_IF(frs->dir[0].buf[0] != 43);
540 
541  Packet *p6 = UTHBuildPacket((uint8_t *)"suricata", 8, IPPROTO_TCP);
542  p6->ts.secs = p1->ts.secs + 7;
543  FlowRateStoreUpdate(frs, p6->ts, GET_PKT_LEN(p6), TOSERVER);
544  /* Total length of packet is 48 */
545  FAIL_IF(frs->dir[0].sum != 91);
546  FAIL_IF(frs->dir[0].last_ts.secs != p6->ts.secs);
547  FAIL_IF(frs->dir[0].start_ts.secs != p5->ts.secs);
548  FAIL_IF(frs->dir[0].buf[0] != 43);
549  FAIL_IF(frs->dir[0].buf[1] != 0);
550  FAIL_IF(frs->dir[0].buf[2] != 0);
551  FAIL_IF(frs->dir[0].buf[3] != 48);
552 
553  FlowRateStoreFree(frs);
554  PASS;
555 }
556 
557 /* Test to check sum when two packets are back to back within the window but are coming after a gap
558  */
559 static int FlowRateTest07(void)
560 {
561  SC_ATOMIC_SET(flow_config.memcap, 10000);
562  flow_rate_config.bytes = 200;
563  flow_rate_config.interval = (SCTime_t){ .secs = 4, .usecs = 0 };
564  FlowRateStore *frs = FlowRateStoreInit();
565  FAIL_IF_NULL(frs);
566  for (int i = 0; i < 2; i++) {
567  FAIL_IF(frs->dir[i].size != 4);
568  FAIL_IF(frs->dir[i].sum != 0);
569  }
570  Packet *p1 = UTHBuildPacket((uint8_t *)"blahblah", 8, IPPROTO_TCP);
571  FlowRateStoreUpdate(frs, p1->ts, GET_PKT_LEN(p1), TOSERVER);
572  /* Total length of packet is 48 */
573  FAIL_IF(frs->dir[0].sum != 48);
574  FAIL_IF(frs->dir[0].last_ts.secs != p1->ts.secs);
575  FAIL_IF(frs->dir[0].buf[0] != 48);
576  FAIL_IF(frs->dir[0].start_ts.secs != p1->ts.secs);
577 
578  Packet *p2 = UTHBuildPacket((uint8_t *)"DATA", 4, IPPROTO_TCP);
579  p2->ts.secs = p1->ts.secs + 1;
580  FlowRateStoreUpdate(frs, p2->ts, GET_PKT_LEN(p2), TOSERVER);
581  /* Total length of packet is 44 */
582  FAIL_IF(frs->dir[0].sum != 92);
583  FAIL_IF(frs->dir[0].last_ts.secs != p2->ts.secs);
584  FAIL_IF(frs->dir[0].buf[1] != 44);
585  FAIL_IF(frs->dir[0].start_ts.secs != p1->ts.secs);
586 
587  Packet *p3 = UTHBuildPacket((uint8_t *)"ABababa", 7, IPPROTO_TCP);
588  p3->ts.secs = p1->ts.secs + 2;
589  FlowRateStoreUpdate(frs, p3->ts, GET_PKT_LEN(p3), TOSERVER);
590  /* Total length of packet is 47 */
591  FAIL_IF(frs->dir[0].sum != 139);
592  FAIL_IF(frs->dir[0].last_ts.secs != p3->ts.secs);
593  FAIL_IF(frs->dir[0].buf[2] != 47);
594  FAIL_IF(frs->dir[0].start_ts.secs != p1->ts.secs);
595 
596  Packet *p4 = UTHBuildPacket((uint8_t *)"yoohoo", 6, IPPROTO_TCP);
597  p4->ts.secs = p1->ts.secs + 3;
598  FlowRateStoreUpdate(frs, p4->ts, GET_PKT_LEN(p4), TOSERVER);
599  /* Total length of packet is 46 */
600  FAIL_IF(frs->dir[0].sum != 185);
601  FAIL_IF(frs->dir[0].last_ts.secs != p4->ts.secs);
602  FAIL_IF(frs->dir[0].buf[3] != 46);
603  FAIL_IF(frs->dir[0].start_ts.secs != p1->ts.secs);
604 
605  Packet *p5 = UTHBuildPacket((uint8_t *)"nmn", 3, IPPROTO_TCP);
606  p5->ts.secs = p1->ts.secs + 5;
607  FlowRateStoreUpdate(frs, p5->ts, GET_PKT_LEN(p5), TOSERVER);
608  /* Total length of packet is 43 */
609  FAIL_IF(frs->dir[0].sum != 136);
610  FAIL_IF(frs->dir[0].last_ts.secs != p5->ts.secs);
611  FAIL_IF(frs->dir[0].start_ts.secs != p5->ts.secs);
612  FAIL_IF(frs->dir[0].buf[0] != 43);
613 
614  Packet *p6 = UTHBuildPacket((uint8_t *)"suricata", 8, IPPROTO_TCP);
615  p6->ts.secs = p1->ts.secs + 8;
616  FlowRateStoreUpdate(frs, p6->ts, GET_PKT_LEN(p6), TOSERVER);
617  /* Total length of packet is 48 */
618  FAIL_IF(frs->dir[0].sum != 91);
619  FAIL_IF(frs->dir[0].last_ts.secs != p6->ts.secs);
620  FAIL_IF(frs->dir[0].start_ts.secs != p5->ts.secs);
621  FAIL_IF(frs->dir[0].buf[0] != 43);
622  FAIL_IF(frs->dir[0].buf[1] != 0);
623  FAIL_IF(frs->dir[0].buf[2] != 0);
624  FAIL_IF(frs->dir[0].buf[3] != 48);
625 
626  FlowRateStoreFree(frs);
627  PASS;
628 }
629 
630 void FlowRateRegisterTests(void)
631 {
632  UtRegisterTest("FlowRateTest01", FlowRateTest01);
633  UtRegisterTest("FlowRateTest02", FlowRateTest02);
634  UtRegisterTest("FlowRateTest03", FlowRateTest03);
635  UtRegisterTest("FlowRateTest04", FlowRateTest04);
636  UtRegisterTest("FlowRateTest05", FlowRateTest05);
637  UtRegisterTest("FlowRateTest06", FlowRateTest06);
638  UtRegisterTest("FlowRateTest07", FlowRateTest07);
639 }
640 #endif
FlowStorageId
Definition: flow-storage.h:31
g_flowrate_storage_id
FlowStorageId g_flowrate_storage_id
Definition: util-flow-rate.c:37
util-byte.h
FlowRateDirStore_::sum
uint64_t sum
Definition: util-flow-rate.h:36
FlowRateRegisterTests
void FlowRateRegisterTests(void)
Definition: util-flow-rate.c:630
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
flow-util.h
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
SC_ATOMIC_SET
#define SC_ATOMIC_SET(name, val)
Set the value for the atomic variable.
Definition: util-atomic.h:386
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
FlowRateDirStore_::start_ts
SCTime_t start_ts
Definition: util-flow-rate.h:42
FlowRateConfig_::interval
SCTime_t interval
Definition: util-flow-rate.h:29
ParseSizeStringU64
int ParseSizeStringU64(const char *size, uint64_t *res)
Definition: util-misc.c:190
flow-private.h
SC_ATOMIC_ADD
#define SC_ATOMIC_ADD(name, val)
add a value to our atomic variable
Definition: util-atomic.h:332
StringParseUint16
int StringParseUint16(uint16_t *res, int base, size_t len, const char *str)
Definition: util-byte.c:337
FlowRateGetStorageID
FlowStorageId FlowRateGetStorageID(void)
Definition: util-flow-rate.c:134
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:365
SCConfNodeLookupChildValue
const char * SCConfNodeLookupChildValue(const SCConfNode *node, const char *name)
Lookup the value of a child configuration node by name.
Definition: conf.c:824
util-unittest.h
util-unittest-helper.h
FLOW_CHECK_MEMCAP
#define FLOW_CHECK_MEMCAP(size)
check if a memory alloc would fit in the memcap
Definition: flow-util.h:134
FlowRateStore_::dir
FlowRateDirStore dir[2]
Definition: util-flow-rate.h:48
FlowRateStoreUpdate
void FlowRateStoreUpdate(FlowRateStore *frs, SCTime_t p_ts, uint32_t pkt_len, int direction)
Definition: util-flow-rate.c:193
util-flow-rate.h
TOSERVER
#define TOSERVER
Definition: flow.h:45
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
Packet_::ts
SCTime_t ts
Definition: decode.h:546
SCTime_t::secs
uint64_t secs
Definition: util-time.h:41
FlowRateRegisterFlowStorage
void FlowRateRegisterFlowStorage(void)
Definition: util-flow-rate.c:60
FlowStorageRegister
FlowStorageId FlowStorageRegister(const char *name, const unsigned int size, void *(*Alloc)(unsigned int), void(*Free)(void *))
Definition: flow-storage.c:66
SC_ATOMIC_SUB
#define SC_ATOMIC_SUB(name, val)
sub a value from our atomic variable
Definition: util-atomic.h:341
Packet_
Definition: decode.h:492
GET_PKT_LEN
#define GET_PKT_LEN(p)
Definition: decode.h:208
flow_rate_config
FlowRateConfig flow_rate_config
Definition: util-flow-rate.c:39
conf.h
SCTime_t
Definition: util-time.h:40
SCConfNodeLookupChild
SCConfNode * SCConfNodeLookupChild(const SCConfNode *node, const char *name)
Lookup a child configuration node by name.
Definition: conf.c:796
flow-storage.h
FlowRateDirStore_::last_idx
uint16_t last_idx
Definition: util-flow-rate.h:38
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
suricata-common.h
FlowRateStoreInit
FlowRateStore * FlowRateStoreInit(void)
Definition: util-flow-rate.c:102
flow_config
FlowConfig flow_config
Definition: flow.c:92
FlowRateIsExceeding
bool FlowRateIsExceeding(FlowRateStore *frs, int direction)
Definition: util-flow-rate.c:228
FatalError
#define FatalError(...)
Definition: util-debug.h:503
FlowRateConfig_::bytes
uint64_t bytes
Definition: util-flow-rate.h:28
SCConfGetNode
SCConfNode * SCConfGetNode(const char *name)
Get a SCConfNode by name.
Definition: conf.c:181
SCFree
#define SCFree(p)
Definition: util-mem.h:61
FlowStorageId::id
int id
Definition: flow-storage.h:32
FlowRateDirStore_::buf
uint64_t * buf
Definition: util-flow-rate.h:34
FlowRateStorageEnabled
bool FlowRateStorageEnabled(void)
Definition: util-flow-rate.c:97
util-misc.h
SCTIME_INITIALIZER
#define SCTIME_INITIALIZER
Definition: util-time.h:51
SCTIME_ADD_SECS
#define SCTIME_ADD_SECS(ts, s)
Definition: util-time.h:64
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
FlowRateDirStore_::size
uint16_t size
Definition: util-flow-rate.h:40
SCConfNode_
Definition: conf.h:37
FlowRateDirStore_::last_ts
SCTime_t last_ts
Definition: util-flow-rate.h:44
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:102
FlowRateStore_
Definition: util-flow-rate.h:47
util-storage.h
FlowRateConfig_
Definition: util-flow-rate.h:27