suricata
util-flow-rate.c
Go to the documentation of this file.
1 /* Copyright (C) 2025 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Shivani Bhardwaj <shivani@oisf.net>
22  *
23  */
24 
25 #include "suricata-common.h"
26 #include "flow-storage.h"
27 #include "flow-util.h"
28 #include "flow-private.h"
29 #include "util-storage.h"
30 #include "conf.h"
31 #include "util-misc.h"
32 #include "util-byte.h"
33 #include "util-flow-rate.h"
34 #include "util-unittest.h"
35 #include "util-unittest-helper.h"
36 
37 SCFlowStorageId g_flowrate_storage_id = { .id = -1 };
38 
39 FlowRateConfig flow_rate_config;
40 
41 static void FlowRateStoreFree(void *ptr)
42 {
43  FlowRateStore *frs = (FlowRateStore *)ptr;
44  size_t total_free = 0;
45  if (frs == NULL)
46  return;
47 
48  for (int i = 0; i < 2; i++) {
49  if (frs->dir[i].buf != NULL) {
50  SCFree(frs->dir[i].buf);
51  total_free += (frs->dir[i].size * sizeof(uint64_t));
52  }
53  }
54 
55  SCFree(frs);
56  total_free += sizeof(*frs);
57  (void)SC_ATOMIC_SUB(flow_memuse, total_free);
58 }
59 
60 void FlowRateRegisterFlowStorage(void)
61 {
62  SCConfNode *root = SCConfGetNode("flow");
63  if (root == NULL)
64  return;
65 
66  bool track_flow = false;
67  track_flow = SCConfNodeLookupChild(root, "rate-tracking") != NULL;
68  if (!track_flow)
69  return;
70 
71  SCConfNode *node = SCConfGetNode("flow.rate-tracking");
72  const char *val = SCConfNodeLookupChildValue(node, "bytes");
73  if (val == NULL) {
74  FatalError("No value for flow tracking bytes");
75  }
76  uint64_t bytes = 0;
77  if (ParseSizeStringU64(val, &bytes) < 0) {
78  FatalError("Invalid value for flow tracking bytes");
79  }
80  flow_rate_config.bytes = bytes;
81 
82  val = SCConfNodeLookupChildValue(node, "interval");
83  if (val == NULL) {
84  FatalError("No value for flow tracking interval");
85  }
86  SCTime_t interval = SCTIME_INITIALIZER;
87  uint16_t secs = 0;
88  if ((StringParseUint16(&secs, 10, 0, val) < 0) || (secs == 0)) {
89  FatalError("Invalid value for flow tracking interval");
90  }
91  flow_rate_config.interval = SCTIME_ADD_SECS(interval, secs);
92 
93  g_flowrate_storage_id = SCFlowStorageRegister("flowrate", FlowRateStoreFree);
94 }
95 
96 bool FlowRateStorageEnabled(void)
97 {
98  return (g_flowrate_storage_id.id != -1);
99 }
100 
101 FlowRateStore *FlowRateStoreInit(void)
102 {
103  FlowRateStore *frs = NULL;
104  size_t total_memuse = 0;
105  size_t expected_memuse = (2 * flow_rate_config.interval.secs * sizeof(uint64_t)) + sizeof(*frs);
106 
107  if (!FLOW_CHECK_MEMCAP(expected_memuse)) {
108  return NULL;
109  }
110  frs = SCCalloc(1, sizeof(*frs));
111  if (unlikely(frs == NULL)) {
112  return NULL;
113  }
114 
115  total_memuse += sizeof(*frs);
116  for (int i = 0; i < 2; i++) {
117  frs->dir[i].size = (uint16_t)flow_rate_config.interval.secs;
118  frs->dir[i].buf = SCCalloc(frs->dir[i].size, sizeof(uint64_t));
119  if (unlikely(frs->dir[i].buf == NULL)) {
120  FlowRateStoreFree(frs);
121  return NULL;
122  }
123  frs->dir[i].start_ts = SCTIME_INITIALIZER;
124  frs->dir[i].last_ts = SCTIME_INITIALIZER;
125  total_memuse += (frs->dir[i].size * sizeof(uint64_t));
126  }
127  DEBUG_VALIDATE_BUG_ON(total_memuse != expected_memuse);
128  (void)SC_ATOMIC_ADD(flow_memuse, total_memuse);
129 
130  return frs;
131 }
132 
133 SCFlowStorageId FlowRateGetStorageID(void)
134 {
135  return g_flowrate_storage_id;
136 }
137 
138 static inline void FlowRateClearSumInRange(
139  FlowRateStore *frs, uint16_t start, uint16_t end, int direction)
140 {
141  for (uint16_t i = start; i <= end; i++) {
142  uint64_t byte_count_at_i = frs->dir[direction].buf[i];
143  frs->dir[direction].buf[i] = 0;
144  DEBUG_VALIDATE_BUG_ON(frs->dir[direction].sum < byte_count_at_i);
145  frs->dir[direction].sum -= byte_count_at_i;
146  }
147 }
148 
149 static inline void FlowRateStoreUpdateCurrentRing(
150  FlowRateStore *frs, SCTime_t p_ts, uint32_t pkt_len, uint16_t idx, int direction)
151 {
152  if (idx > frs->dir[direction].last_idx + 1) {
153  /* Index is not the same as last or the next so, the ring must be flushed for the items
154  * in between and sum updated */
155  FlowRateClearSumInRange(frs, frs->dir[direction].last_idx + 1, idx, direction);
156  frs->dir[direction].buf[idx] += pkt_len;
157  /* Update the total sum */
158  frs->dir[direction].sum += pkt_len;
159  } else if (idx == frs->dir[direction].last_idx) {
160  /* Index matches the last updated index in the ring buffer */
161  /* Add to the existing open time interval */
162  frs->dir[direction].buf[idx] += pkt_len;
163  /* Update the total sum */
164  frs->dir[direction].sum += pkt_len;
165  } else {
166  /* Index is revisited after a full round of the buffer */
167  uint64_t prev_byte_count = frs->dir[direction].buf[idx];
168  /* Overwrite the buffer */
169  frs->dir[direction].buf[idx] = pkt_len;
170  DEBUG_VALIDATE_BUG_ON(frs->dir[direction].sum < prev_byte_count);
171  /* Sum should get rid of previous count on the same index */
172  frs->dir[direction].sum += pkt_len - prev_byte_count;
173  if (idx != frs->dir[direction].last_idx + 1) {
174  /* Revisited index but not the next to last, so, reset start_ts */
175  frs->dir[direction].start_ts = p_ts;
176  }
177  }
178  frs->dir[direction].last_idx = idx;
179 }
180 
181 static inline void FlowRateStoreFlushRing(
182  FlowRateStore *frs, SCTime_t p_ts, uint32_t pkt_len, int direction)
183 {
184  memset(frs->dir[direction].buf, 0, frs->dir[direction].size);
185  frs->dir[direction].last_idx = 0;
186  frs->dir[direction].start_ts = p_ts;
187  frs->dir[direction].buf[0] = pkt_len;
188  /* Overwrite the sum calculated so far */
189  frs->dir[direction].sum = pkt_len;
190 }
191 
192 void FlowRateStoreUpdate(FlowRateStore *frs, SCTime_t p_ts, uint32_t pkt_len, int direction)
193 {
194  if (frs->dir[direction].last_ts.secs == 0) {
195  /* Should only happen when the ring is first used */
196  DEBUG_VALIDATE_BUG_ON(frs->dir[direction].sum > 0);
197  /* Initialize last_ts and start_ts with the first packet's timestamp */
198  frs->dir[direction].last_ts = p_ts;
199  frs->dir[direction].start_ts = p_ts;
200  }
201 
202  SCTime_t start_ts = frs->dir[direction].start_ts;
203  uint16_t idx = (p_ts.secs - start_ts.secs) % frs->dir[direction].size;
204  /* Update start_ts in case of initiating the revisit of buffer */
205  if ((frs->dir[direction].last_idx == frs->dir[direction].size - 1) &&
206  (frs->dir[direction].last_idx != idx)) {
207  start_ts = p_ts;
208  if (idx != 0) {
209  /* Update the sum */
210  FlowRateClearSumInRange(frs, 0, idx, direction);
211  /* Consider current packet a new start of the ring */
212  idx = 0;
213  }
214  }
215  /* If the packet has come in the last open interval of time */
216  if (p_ts.secs - start_ts.secs < frs->dir[direction].size) {
217  FlowRateStoreUpdateCurrentRing(frs, p_ts, pkt_len, idx, direction);
218  } else {
219  /* Packet arrived after one or more rounds of the entire buffer */
220  /* Flush the entire buffer */
221  FlowRateStoreFlushRing(frs, p_ts, pkt_len, direction);
222  }
223  /* In any case, update the last seen timestamp */
224  frs->dir[direction].last_ts = p_ts;
225 }
226 
227 bool FlowRateIsExceeding(FlowRateStore *frs, int direction)
228 {
229  return frs->dir[direction].sum >= flow_rate_config.bytes;
230 }
231 
232 #ifdef UNITTESTS
233 
234 /* Test to check update of the same buffer item */
235 static int FlowRateTest01(void)
236 {
237  SC_ATOMIC_SET(flow_config.memcap, 10000);
238  flow_rate_config.bytes = 100;
239  flow_rate_config.interval = (SCTime_t){ .secs = 10, .usecs = 0 };
240  FlowRateStore *frs = FlowRateStoreInit();
241  FAIL_IF_NULL(frs);
242  for (int i = 0; i < 2; i++) {
243  FAIL_IF(frs->dir[i].size != 10);
244  FAIL_IF(frs->dir[i].sum != 0);
245  }
246  Packet *p1 = UTHBuildPacket((uint8_t *)"blahblah", 8, IPPROTO_TCP);
247  FlowRateStoreUpdate(frs, p1->ts, GET_PKT_LEN(p1), TOSERVER);
248  /* Total length of packet is 48 */
249  FAIL_IF(frs->dir[0].sum != 48);
250  FAIL_IF(frs->dir[0].last_ts.secs != p1->ts.secs);
251  FAIL_IF(frs->dir[0].buf[0] != 48);
252 
253  Packet *p2 = UTHBuildPacket((uint8_t *)"DATA", 4, IPPROTO_TCP);
254  FlowRateStoreUpdate(frs, p2->ts, GET_PKT_LEN(p2), TOSERVER);
255  /* Total length of packet is 44 */
256  FAIL_IF(frs->dir[0].sum != 92);
257  FAIL_IF(frs->dir[0].last_ts.secs != p2->ts.secs);
258  FAIL_IF(frs->dir[0].buf[0] != 92);
259 
260  Packet *p3 = UTHBuildPacket((uint8_t *)"ABababa", 7, IPPROTO_TCP);
261  FlowRateStoreUpdate(frs, p3->ts, GET_PKT_LEN(p3), TOSERVER);
262  /* Total length of packet is 47 */
263  FAIL_IF(frs->dir[0].sum != 139);
264  FAIL_IF(frs->dir[0].last_ts.secs != p3->ts.secs);
265  FAIL_IF(frs->dir[0].buf[0] != 139);
266 
267  UTHFreePacket(p1);
268  UTHFreePacket(p2);
269  UTHFreePacket(p3);
270  FlowRateStoreFree(frs);
271  PASS;
272 }
273 
274 /* Test to check update of all buffer items */
275 static int FlowRateTest02(void)
276 {
277  SC_ATOMIC_SET(flow_config.memcap, 10000);
278  flow_rate_config.bytes = 200;
279  flow_rate_config.interval = (SCTime_t){ .secs = 4, .usecs = 0 };
280  FlowRateStore *frs = FlowRateStoreInit();
281  FAIL_IF_NULL(frs);
282  for (int i = 0; i < 2; i++) {
283  FAIL_IF(frs->dir[i].size != 4);
284  FAIL_IF(frs->dir[i].sum != 0);
285  }
286  Packet *p1 = UTHBuildPacket((uint8_t *)"blahblah", 8, IPPROTO_TCP);
287  FlowRateStoreUpdate(frs, p1->ts, GET_PKT_LEN(p1), TOSERVER);
288  /* Total length of packet is 48 */
289  FAIL_IF(frs->dir[0].sum != 48);
290  FAIL_IF(frs->dir[0].last_ts.secs != p1->ts.secs);
291  FAIL_IF(frs->dir[0].buf[0] != 48);
292 
293  Packet *p2 = UTHBuildPacket((uint8_t *)"DATA", 4, IPPROTO_TCP);
294  p2->ts.secs = p1->ts.secs + 1;
295  FlowRateStoreUpdate(frs, p2->ts, GET_PKT_LEN(p2), TOSERVER);
296  /* Total length of packet is 44 */
297  FAIL_IF(frs->dir[0].sum != 92);
298  FAIL_IF(frs->dir[0].last_ts.secs != p2->ts.secs);
299  FAIL_IF(frs->dir[0].buf[1] != 44);
300 
301  Packet *p3 = UTHBuildPacket((uint8_t *)"ABababa", 7, IPPROTO_TCP);
302  p3->ts.secs = p1->ts.secs + 2;
303  FlowRateStoreUpdate(frs, p3->ts, GET_PKT_LEN(p3), TOSERVER);
304  /* Total length of packet is 47 */
305  FAIL_IF(frs->dir[0].sum != 139);
306  FAIL_IF(frs->dir[0].last_ts.secs != p3->ts.secs);
307  FAIL_IF(frs->dir[0].buf[2] != 47);
308 
309  Packet *p4 = UTHBuildPacket((uint8_t *)"yoohoo", 6, IPPROTO_TCP);
310  p4->ts.secs = p1->ts.secs + 3;
311  FlowRateStoreUpdate(frs, p4->ts, GET_PKT_LEN(p4), TOSERVER);
312  /* Total length of packet is 46 */
313  FAIL_IF(frs->dir[0].sum != 185);
314  FAIL_IF(frs->dir[0].last_ts.secs != p4->ts.secs);
315  FAIL_IF(frs->dir[0].buf[3] != 46);
316 
317  UTHFreePacket(p1);
318  UTHFreePacket(p2);
319  UTHFreePacket(p3);
320  UTHFreePacket(p4);
321  FlowRateStoreFree(frs);
322  PASS;
323 }
324 
325 /* Test to check update of wrapping around ring buffer */
326 static int FlowRateTest03(void)
327 {
328  SC_ATOMIC_SET(flow_config.memcap, 10000);
329  flow_rate_config.bytes = 200;
330  flow_rate_config.interval = (SCTime_t){ .secs = 4, .usecs = 0 };
331  FlowRateStore *frs = FlowRateStoreInit();
332  FAIL_IF_NULL(frs);
333  for (int i = 0; i < 2; i++) {
334  FAIL_IF(frs->dir[i].size != 4);
335  FAIL_IF(frs->dir[i].sum != 0);
336  }
337  Packet *p1 = UTHBuildPacket((uint8_t *)"blahblah", 8, IPPROTO_TCP);
338  FlowRateStoreUpdate(frs, p1->ts, GET_PKT_LEN(p1), TOSERVER);
339  /* Total length of packet is 48 */
340  FAIL_IF(frs->dir[0].sum != 48);
341  FAIL_IF(frs->dir[0].last_ts.secs != p1->ts.secs);
342  FAIL_IF(frs->dir[0].buf[0] != 48);
343  FAIL_IF(frs->dir[0].start_ts.secs != p1->ts.secs);
344 
345  Packet *p2 = UTHBuildPacket((uint8_t *)"DATA", 4, IPPROTO_TCP);
346  p2->ts.secs = p1->ts.secs + 1;
347  FlowRateStoreUpdate(frs, p2->ts, GET_PKT_LEN(p2), TOSERVER);
348  /* Total length of packet is 44 */
349  FAIL_IF(frs->dir[0].sum != 92);
350  FAIL_IF(frs->dir[0].last_ts.secs != p2->ts.secs);
351  FAIL_IF(frs->dir[0].buf[1] != 44);
352  FAIL_IF(frs->dir[0].start_ts.secs != p1->ts.secs);
353 
354  Packet *p3 = UTHBuildPacket((uint8_t *)"ABababa", 7, IPPROTO_TCP);
355  p3->ts.secs = p1->ts.secs + 2;
356  FlowRateStoreUpdate(frs, p3->ts, GET_PKT_LEN(p3), TOSERVER);
357  /* Total length of packet is 47 */
358  FAIL_IF(frs->dir[0].sum != 139);
359  FAIL_IF(frs->dir[0].last_ts.secs != p3->ts.secs);
360  FAIL_IF(frs->dir[0].buf[2] != 47);
361  FAIL_IF(frs->dir[0].start_ts.secs != p1->ts.secs);
362 
363  Packet *p4 = UTHBuildPacket((uint8_t *)"yoohoo", 6, IPPROTO_TCP);
364  p4->ts.secs = p1->ts.secs + 3;
365  FlowRateStoreUpdate(frs, p4->ts, GET_PKT_LEN(p4), TOSERVER);
366  /* Total length of packet is 46 */
367  FAIL_IF(frs->dir[0].sum != 185);
368  FAIL_IF(frs->dir[0].last_ts.secs != p4->ts.secs);
369  FAIL_IF(frs->dir[0].buf[3] != 46);
370  FAIL_IF(frs->dir[0].start_ts.secs != p1->ts.secs);
371 
372  Packet *p5 = UTHBuildPacket((uint8_t *)"nmn", 3, IPPROTO_TCP);
373  p5->ts.secs = p1->ts.secs + 4;
374  FlowRateStoreUpdate(frs, p5->ts, GET_PKT_LEN(p5), TOSERVER);
375  /* Total length of packet is 43 */
376  FAIL_IF(frs->dir[0].sum != 180);
377  FAIL_IF(frs->dir[0].last_ts.secs != p5->ts.secs);
378  FAIL_IF(frs->dir[0].start_ts.secs != p5->ts.secs);
379  FAIL_IF(frs->dir[0].buf[0] != 43);
380 
381  Packet *p6 = UTHBuildPacket((uint8_t *)"meerkat", 7, IPPROTO_TCP);
382  p6->ts.secs = p1->ts.secs + 5;
383  FlowRateStoreUpdate(frs, p6->ts, GET_PKT_LEN(p6), TOSERVER);
384  /* Total length of packet is 47 */
385  FAIL_IF(frs->dir[0].sum != 183);
386  FAIL_IF(frs->dir[0].last_ts.secs != p6->ts.secs);
387  FAIL_IF(frs->dir[0].start_ts.secs != p5->ts.secs);
388  FAIL_IF(frs->dir[0].buf[1] != 47);
389 
390  UTHFreePacket(p1);
391  UTHFreePacket(p2);
392  UTHFreePacket(p3);
393  UTHFreePacket(p4);
394  UTHFreePacket(p5);
395  UTHFreePacket(p6);
396  FlowRateStoreFree(frs);
397  PASS;
398 }
399 
400 /* Test to check update of buffer if new pkt comes out of the window */
401 static int FlowRateTest04(void)
402 {
403  SC_ATOMIC_SET(flow_config.memcap, 10000);
404  flow_rate_config.bytes = 200;
405  flow_rate_config.interval = (SCTime_t){ .secs = 4, .usecs = 0 };
406  FlowRateStore *frs = FlowRateStoreInit();
407  FAIL_IF_NULL(frs);
408  for (int i = 0; i < 2; i++) {
409  FAIL_IF(frs->dir[i].size != 4);
410  FAIL_IF(frs->dir[i].sum != 0);
411  }
412  Packet *p1 = UTHBuildPacket((uint8_t *)"blahblah", 8, IPPROTO_TCP);
413  FlowRateStoreUpdate(frs, p1->ts, GET_PKT_LEN(p1), TOSERVER);
414  /* Total length of packet is 48 */
415  FAIL_IF(frs->dir[0].sum != 48);
416  FAIL_IF(frs->dir[0].last_ts.secs != p1->ts.secs);
417  FAIL_IF(frs->dir[0].buf[0] != 48);
418  FAIL_IF(frs->dir[0].start_ts.secs != p1->ts.secs);
419 
420  Packet *p2 = UTHBuildPacket((uint8_t *)"DATA", 4, IPPROTO_TCP);
421  p2->ts.secs = p1->ts.secs + 60;
422  FlowRateStoreUpdate(frs, p2->ts, GET_PKT_LEN(p2), TOSERVER);
423  /* Total length of packet is 44 */
424  FAIL_IF(frs->dir[0].sum != 44);
425  FAIL_IF(frs->dir[0].last_ts.secs != p2->ts.secs);
426  FAIL_IF(frs->dir[0].buf[0] != 44);
427  FAIL_IF(frs->dir[0].start_ts.secs != p2->ts.secs);
428 
429  UTHFreePacket(p1);
430  UTHFreePacket(p2);
431  FlowRateStoreFree(frs);
432  PASS;
433 }
434 
435 /* Test to check update of wrapping around ring buffer when the packet
436  * out of the window but also does not fall on the first index of the ring */
437 static int FlowRateTest05(void)
438 {
439  SC_ATOMIC_SET(flow_config.memcap, 10000);
440  flow_rate_config.bytes = 200;
441  flow_rate_config.interval = (SCTime_t){ .secs = 4, .usecs = 0 };
442  FlowRateStore *frs = FlowRateStoreInit();
443  FAIL_IF_NULL(frs);
444  for (int i = 0; i < 2; i++) {
445  FAIL_IF(frs->dir[i].size != 4);
446  FAIL_IF(frs->dir[i].sum != 0);
447  }
448  Packet *p1 = UTHBuildPacket((uint8_t *)"blahblah", 8, IPPROTO_TCP);
449  FlowRateStoreUpdate(frs, p1->ts, GET_PKT_LEN(p1), TOSERVER);
450  /* Total length of packet is 48 */
451  FAIL_IF(frs->dir[0].sum != 48);
452  FAIL_IF(frs->dir[0].last_ts.secs != p1->ts.secs);
453  FAIL_IF(frs->dir[0].buf[0] != 48);
454  FAIL_IF(frs->dir[0].start_ts.secs != p1->ts.secs);
455 
456  Packet *p2 = UTHBuildPacket((uint8_t *)"DATA", 4, IPPROTO_TCP);
457  p2->ts.secs = p1->ts.secs + 1;
458  FlowRateStoreUpdate(frs, p2->ts, GET_PKT_LEN(p2), TOSERVER);
459  /* Total length of packet is 44 */
460  FAIL_IF(frs->dir[0].sum != 92);
461  FAIL_IF(frs->dir[0].last_ts.secs != p2->ts.secs);
462  FAIL_IF(frs->dir[0].buf[1] != 44);
463  FAIL_IF(frs->dir[0].start_ts.secs != p1->ts.secs);
464 
465  Packet *p3 = UTHBuildPacket((uint8_t *)"ABababa", 7, IPPROTO_TCP);
466  p3->ts.secs = p1->ts.secs + 2;
467  FlowRateStoreUpdate(frs, p3->ts, GET_PKT_LEN(p3), TOSERVER);
468  /* Total length of packet is 47 */
469  FAIL_IF(frs->dir[0].sum != 139);
470  FAIL_IF(frs->dir[0].last_ts.secs != p3->ts.secs);
471  FAIL_IF(frs->dir[0].buf[2] != 47);
472  FAIL_IF(frs->dir[0].start_ts.secs != p1->ts.secs);
473 
474  Packet *p4 = UTHBuildPacket((uint8_t *)"yoohoo", 6, IPPROTO_TCP);
475  p4->ts.secs = p1->ts.secs + 3;
476  FlowRateStoreUpdate(frs, p4->ts, GET_PKT_LEN(p4), TOSERVER);
477  /* Total length of packet is 46 */
478  FAIL_IF(frs->dir[0].sum != 185);
479  FAIL_IF(frs->dir[0].last_ts.secs != p4->ts.secs);
480  FAIL_IF(frs->dir[0].buf[3] != 46);
481  FAIL_IF(frs->dir[0].start_ts.secs != p1->ts.secs);
482 
483  Packet *p5 = UTHBuildPacket((uint8_t *)"nmn", 3, IPPROTO_TCP);
484  p5->ts.secs = p1->ts.secs + 6;
485  FlowRateStoreUpdate(frs, p5->ts, GET_PKT_LEN(p5), TOSERVER);
486  /* Total length of packet is 43 */
487  FAIL_IF(frs->dir[0].sum != 89);
488  FAIL_IF(frs->dir[0].last_ts.secs != p5->ts.secs);
489  FAIL_IF(frs->dir[0].start_ts.secs != p5->ts.secs);
490  FAIL_IF(frs->dir[0].buf[0] != 43);
491 
492  UTHFreePacket(p1);
493  UTHFreePacket(p2);
494  UTHFreePacket(p3);
495  UTHFreePacket(p4);
496  UTHFreePacket(p5);
497  FlowRateStoreFree(frs);
498  PASS;
499 }
500 
501 /* Test to check sum when packet is within the window but is coming after a gap */
502 static int FlowRateTest06(void)
503 {
504  SC_ATOMIC_SET(flow_config.memcap, 10000);
505  flow_rate_config.bytes = 200;
506  flow_rate_config.interval = (SCTime_t){ .secs = 4, .usecs = 0 };
507  FlowRateStore *frs = FlowRateStoreInit();
508  FAIL_IF_NULL(frs);
509  for (int i = 0; i < 2; i++) {
510  FAIL_IF(frs->dir[i].size != 4);
511  FAIL_IF(frs->dir[i].sum != 0);
512  }
513  Packet *p1 = UTHBuildPacket((uint8_t *)"blahblah", 8, IPPROTO_TCP);
514  FlowRateStoreUpdate(frs, p1->ts, GET_PKT_LEN(p1), TOSERVER);
515  /* Total length of packet is 48 */
516  FAIL_IF(frs->dir[0].sum != 48);
517  FAIL_IF(frs->dir[0].last_ts.secs != p1->ts.secs);
518  FAIL_IF(frs->dir[0].buf[0] != 48);
519  FAIL_IF(frs->dir[0].start_ts.secs != p1->ts.secs);
520 
521  Packet *p2 = UTHBuildPacket((uint8_t *)"DATA", 4, IPPROTO_TCP);
522  p2->ts.secs = p1->ts.secs + 1;
523  FlowRateStoreUpdate(frs, p2->ts, GET_PKT_LEN(p2), TOSERVER);
524  /* Total length of packet is 44 */
525  FAIL_IF(frs->dir[0].sum != 92);
526  FAIL_IF(frs->dir[0].last_ts.secs != p2->ts.secs);
527  FAIL_IF(frs->dir[0].buf[1] != 44);
528  FAIL_IF(frs->dir[0].start_ts.secs != p1->ts.secs);
529 
530  Packet *p3 = UTHBuildPacket((uint8_t *)"ABababa", 7, IPPROTO_TCP);
531  p3->ts.secs = p1->ts.secs + 2;
532  FlowRateStoreUpdate(frs, p3->ts, GET_PKT_LEN(p3), TOSERVER);
533  /* Total length of packet is 47 */
534  FAIL_IF(frs->dir[0].sum != 139);
535  FAIL_IF(frs->dir[0].last_ts.secs != p3->ts.secs);
536  FAIL_IF(frs->dir[0].buf[2] != 47);
537  FAIL_IF(frs->dir[0].start_ts.secs != p1->ts.secs);
538 
539  Packet *p4 = UTHBuildPacket((uint8_t *)"yoohoo", 6, IPPROTO_TCP);
540  p4->ts.secs = p1->ts.secs + 3;
541  FlowRateStoreUpdate(frs, p4->ts, GET_PKT_LEN(p4), TOSERVER);
542  /* Total length of packet is 46 */
543  FAIL_IF(frs->dir[0].sum != 185);
544  FAIL_IF(frs->dir[0].last_ts.secs != p4->ts.secs);
545  FAIL_IF(frs->dir[0].buf[3] != 46);
546  FAIL_IF(frs->dir[0].start_ts.secs != p1->ts.secs);
547 
548  Packet *p5 = UTHBuildPacket((uint8_t *)"nmn", 3, IPPROTO_TCP);
549  p5->ts.secs = p1->ts.secs + 4;
550  FlowRateStoreUpdate(frs, p5->ts, GET_PKT_LEN(p5), TOSERVER);
551  /* Total length of packet is 43 */
552  FAIL_IF(frs->dir[0].sum != 180);
553  FAIL_IF(frs->dir[0].last_ts.secs != p5->ts.secs);
554  FAIL_IF(frs->dir[0].start_ts.secs != p5->ts.secs);
555  FAIL_IF(frs->dir[0].buf[0] != 43);
556 
557  Packet *p6 = UTHBuildPacket((uint8_t *)"suricata", 8, IPPROTO_TCP);
558  p6->ts.secs = p1->ts.secs + 7;
559  FlowRateStoreUpdate(frs, p6->ts, GET_PKT_LEN(p6), TOSERVER);
560  /* Total length of packet is 48 */
561  FAIL_IF(frs->dir[0].sum != 91);
562  FAIL_IF(frs->dir[0].last_ts.secs != p6->ts.secs);
563  FAIL_IF(frs->dir[0].start_ts.secs != p5->ts.secs);
564  FAIL_IF(frs->dir[0].buf[0] != 43);
565  FAIL_IF(frs->dir[0].buf[1] != 0);
566  FAIL_IF(frs->dir[0].buf[2] != 0);
567  FAIL_IF(frs->dir[0].buf[3] != 48);
568 
569  UTHFreePacket(p1);
570  UTHFreePacket(p2);
571  UTHFreePacket(p3);
572  UTHFreePacket(p4);
573  UTHFreePacket(p5);
574  UTHFreePacket(p6);
575  FlowRateStoreFree(frs);
576  PASS;
577 }
578 
579 /* Test to check sum when two packets are back to back within the window but are coming after a gap
580  */
581 static int FlowRateTest07(void)
582 {
583  SC_ATOMIC_SET(flow_config.memcap, 10000);
584  flow_rate_config.bytes = 200;
585  flow_rate_config.interval = (SCTime_t){ .secs = 4, .usecs = 0 };
586  FlowRateStore *frs = FlowRateStoreInit();
587  FAIL_IF_NULL(frs);
588  for (int i = 0; i < 2; i++) {
589  FAIL_IF(frs->dir[i].size != 4);
590  FAIL_IF(frs->dir[i].sum != 0);
591  }
592  Packet *p1 = UTHBuildPacket((uint8_t *)"blahblah", 8, IPPROTO_TCP);
593  FlowRateStoreUpdate(frs, p1->ts, GET_PKT_LEN(p1), TOSERVER);
594  /* Total length of packet is 48 */
595  FAIL_IF(frs->dir[0].sum != 48);
596  FAIL_IF(frs->dir[0].last_ts.secs != p1->ts.secs);
597  FAIL_IF(frs->dir[0].buf[0] != 48);
598  FAIL_IF(frs->dir[0].start_ts.secs != p1->ts.secs);
599 
600  Packet *p2 = UTHBuildPacket((uint8_t *)"DATA", 4, IPPROTO_TCP);
601  p2->ts.secs = p1->ts.secs + 1;
602  FlowRateStoreUpdate(frs, p2->ts, GET_PKT_LEN(p2), TOSERVER);
603  /* Total length of packet is 44 */
604  FAIL_IF(frs->dir[0].sum != 92);
605  FAIL_IF(frs->dir[0].last_ts.secs != p2->ts.secs);
606  FAIL_IF(frs->dir[0].buf[1] != 44);
607  FAIL_IF(frs->dir[0].start_ts.secs != p1->ts.secs);
608 
609  Packet *p3 = UTHBuildPacket((uint8_t *)"ABababa", 7, IPPROTO_TCP);
610  p3->ts.secs = p1->ts.secs + 2;
611  FlowRateStoreUpdate(frs, p3->ts, GET_PKT_LEN(p3), TOSERVER);
612  /* Total length of packet is 47 */
613  FAIL_IF(frs->dir[0].sum != 139);
614  FAIL_IF(frs->dir[0].last_ts.secs != p3->ts.secs);
615  FAIL_IF(frs->dir[0].buf[2] != 47);
616  FAIL_IF(frs->dir[0].start_ts.secs != p1->ts.secs);
617 
618  Packet *p4 = UTHBuildPacket((uint8_t *)"yoohoo", 6, IPPROTO_TCP);
619  p4->ts.secs = p1->ts.secs + 3;
620  FlowRateStoreUpdate(frs, p4->ts, GET_PKT_LEN(p4), TOSERVER);
621  /* Total length of packet is 46 */
622  FAIL_IF(frs->dir[0].sum != 185);
623  FAIL_IF(frs->dir[0].last_ts.secs != p4->ts.secs);
624  FAIL_IF(frs->dir[0].buf[3] != 46);
625  FAIL_IF(frs->dir[0].start_ts.secs != p1->ts.secs);
626 
627  Packet *p5 = UTHBuildPacket((uint8_t *)"nmn", 3, IPPROTO_TCP);
628  p5->ts.secs = p1->ts.secs + 5;
629  FlowRateStoreUpdate(frs, p5->ts, GET_PKT_LEN(p5), TOSERVER);
630  /* Total length of packet is 43 */
631  FAIL_IF(frs->dir[0].sum != 136);
632  FAIL_IF(frs->dir[0].last_ts.secs != p5->ts.secs);
633  FAIL_IF(frs->dir[0].start_ts.secs != p5->ts.secs);
634  FAIL_IF(frs->dir[0].buf[0] != 43);
635 
636  Packet *p6 = UTHBuildPacket((uint8_t *)"suricata", 8, IPPROTO_TCP);
637  p6->ts.secs = p1->ts.secs + 8;
638  FlowRateStoreUpdate(frs, p6->ts, GET_PKT_LEN(p6), TOSERVER);
639  /* Total length of packet is 48 */
640  FAIL_IF(frs->dir[0].sum != 91);
641  FAIL_IF(frs->dir[0].last_ts.secs != p6->ts.secs);
642  FAIL_IF(frs->dir[0].start_ts.secs != p5->ts.secs);
643  FAIL_IF(frs->dir[0].buf[0] != 43);
644  FAIL_IF(frs->dir[0].buf[1] != 0);
645  FAIL_IF(frs->dir[0].buf[2] != 0);
646  FAIL_IF(frs->dir[0].buf[3] != 48);
647 
648  UTHFreePacket(p1);
649  UTHFreePacket(p2);
650  UTHFreePacket(p3);
651  UTHFreePacket(p4);
652  UTHFreePacket(p5);
653  UTHFreePacket(p6);
654  FlowRateStoreFree(frs);
655  PASS;
656 }
657 
658 void FlowRateRegisterTests(void)
659 {
660  UtRegisterTest("FlowRateTest01", FlowRateTest01);
661  UtRegisterTest("FlowRateTest02", FlowRateTest02);
662  UtRegisterTest("FlowRateTest03", FlowRateTest03);
663  UtRegisterTest("FlowRateTest04", FlowRateTest04);
664  UtRegisterTest("FlowRateTest05", FlowRateTest05);
665  UtRegisterTest("FlowRateTest06", FlowRateTest06);
666  UtRegisterTest("FlowRateTest07", FlowRateTest07);
667 }
668 #endif
util-byte.h
FlowRateDirStore_::sum
uint64_t sum
Definition: util-flow-rate.h:36
FlowRateRegisterTests
void FlowRateRegisterTests(void)
Definition: util-flow-rate.c:658
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
flow-util.h
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
SC_ATOMIC_SET
#define SC_ATOMIC_SET(name, val)
Set the value for the atomic variable.
Definition: util-atomic.h:386
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
FlowRateDirStore_::start_ts
SCTime_t start_ts
Definition: util-flow-rate.h:42
FlowRateConfig_::interval
SCTime_t interval
Definition: util-flow-rate.h:29
ParseSizeStringU64
int ParseSizeStringU64(const char *size, uint64_t *res)
Definition: util-misc.c:191
flow-private.h
SC_ATOMIC_ADD
#define SC_ATOMIC_ADD(name, val)
add a value to our atomic variable
Definition: util-atomic.h:332
StringParseUint16
int StringParseUint16(uint16_t *res, int base, size_t len, const char *str)
Definition: util-byte.c:296
SCFlowStorageId
Definition: flow-storage.h:31
FlowRateGetStorageID
SCFlowStorageId FlowRateGetStorageID(void)
Definition: util-flow-rate.c:133
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:365
SCConfNodeLookupChildValue
const char * SCConfNodeLookupChildValue(const SCConfNode *node, const char *name)
Lookup the value of a child configuration node by name.
Definition: conf.c:852
g_flowrate_storage_id
SCFlowStorageId g_flowrate_storage_id
Definition: util-flow-rate.c:37
util-unittest.h
util-unittest-helper.h
SCFlowStorageRegister
SCFlowStorageId SCFlowStorageRegister(const char *name, void(*Free)(void *))
Definition: flow-storage.c:61
FLOW_CHECK_MEMCAP
#define FLOW_CHECK_MEMCAP(size)
check if a memory alloc would fit in the memcap
Definition: flow-util.h:134
FlowRateStore_::dir
FlowRateDirStore dir[2]
Definition: util-flow-rate.h:48
FlowRateStoreUpdate
void FlowRateStoreUpdate(FlowRateStore *frs, SCTime_t p_ts, uint32_t pkt_len, int direction)
Definition: util-flow-rate.c:192
util-flow-rate.h
TOSERVER
#define TOSERVER
Definition: flow.h:45
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
File_::end
uint64_t end
Definition: util-file.h:173
Packet_::ts
SCTime_t ts
Definition: decode.h:559
SCTime_t::secs
uint64_t secs
Definition: util-time.h:41
FlowRateRegisterFlowStorage
void FlowRateRegisterFlowStorage(void)
Definition: util-flow-rate.c:60
SC_ATOMIC_SUB
#define SC_ATOMIC_SUB(name, val)
sub a value from our atomic variable
Definition: util-atomic.h:341
Packet_
Definition: decode.h:505
GET_PKT_LEN
#define GET_PKT_LEN(p)
Definition: decode.h:209
flow_rate_config
FlowRateConfig flow_rate_config
Definition: util-flow-rate.c:39
conf.h
SCTime_t
Definition: util-time.h:40
SCConfNodeLookupChild
SCConfNode * SCConfNodeLookupChild(const SCConfNode *node, const char *name)
Lookup a child configuration node by name.
Definition: conf.c:824
flow-storage.h
FlowRateDirStore_::last_idx
uint16_t last_idx
Definition: util-flow-rate.h:38
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
suricata-common.h
FlowRateStoreInit
FlowRateStore * FlowRateStoreInit(void)
Definition: util-flow-rate.c:101
flow_config
FlowConfig flow_config
Definition: flow.c:94
FlowRateIsExceeding
bool FlowRateIsExceeding(FlowRateStore *frs, int direction)
Definition: util-flow-rate.c:227
FatalError
#define FatalError(...)
Definition: util-debug.h:517
File_::start
uint64_t start
Definition: util-file.h:172
FlowRateConfig_::bytes
uint64_t bytes
Definition: util-flow-rate.h:28
SCConfGetNode
SCConfNode * SCConfGetNode(const char *name)
Get a SCConfNode by name.
Definition: conf.c:182
SCFree
#define SCFree(p)
Definition: util-mem.h:61
UTHFreePacket
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:473
FlowRateDirStore_::buf
uint64_t * buf
Definition: util-flow-rate.h:34
FlowRateStorageEnabled
bool FlowRateStorageEnabled(void)
Definition: util-flow-rate.c:96
SCFlowStorageId::id
int id
Definition: flow-storage.h:32
util-misc.h
SCTIME_INITIALIZER
#define SCTIME_INITIALIZER
Definition: util-time.h:51
SCTIME_ADD_SECS
#define SCTIME_ADD_SECS(ts, s)
Definition: util-time.h:64
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
FlowRateDirStore_::size
uint16_t size
Definition: util-flow-rate.h:40
SCConfNode_
Definition: conf.h:37
FlowRateDirStore_::last_ts
SCTime_t last_ts
Definition: util-flow-rate.h:44
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:102
FlowRateStore_
Definition: util-flow-rate.h:47
util-storage.h
FlowRateConfig_
Definition: util-flow-rate.h:27