Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

exception/policy: add stats counters - v3.1 #10264

Closed
wants to merge 6 commits into from
Closed

exception/policy: add stats counters - v3.1 #10264

wants to merge 6 commits into from

Conversation

jufajardini
Copy link
Contributor

@jufajardini jufajardini commented Jan 26, 2024
edited
Loading

Link to redmine ticket:
https://redmine.openinfosecfoundation.org/issues/5816

Previous PR: #8735

Describe changes:

  • include exception policy stats counters for app-layer errors in summary form, too (see output example)
  • allow configuring whether or not exception policy counters are logged if 0
  • allow configuring whether or not exception policy error counters are logged for each app-proto
  • remove stats counters logging when exception policy == ignore
  • remove stats counters for exceptions that are never valid, for certain scenarios (based on https://docs.suricata.io/en/latest/configuration/exception-policies.html)

TODO:

  • document exception policy stats counters
  • check what is the overflow caused when enabling delta counters or thread logs
  • confirm if we are not trying to log counters for cases when exception policies are not valid (such as specific situations in IDS or IPS).
  • better align stats.log - as the new counters size character is longer than what we currently have in the stats
  • update the json.schema to include delta counters.

Output examples:
tcp

  "tcp": {
    "syn": 1,
    "synack": 1,
    "rst": 3,
    "active_sessions": 0,
    "sessions": 1,
    "ssn_memcap_drop": 0,
    "ssn_from_cache": 0,
    "ssn_from_pool": 1,
    "ssn_memcap_exception_policy": {
      "reject": 0,
      "bypass": 0,
      "pass_flow": 0,
      "pass_packet": 0,
      "drop_flow": 0,
      "drop_packet": 0
    },
    "pseudo": 0,
    "pseudo_failed": 0,
    "invalid_checksum": 0,
    "midstream_pickups": 0,
    "midstream_exception_policy": {
      "reject": 0,
      "bypass": 0,
      "pass_flow": 0,
      "drop_flow": 0
    },

app-layer -> summary, logging zero values, logging per-app-proto:

"app_layer": {
    "error": {
      "exception_policy": {
        "reject": 0,
        "bypass": 0,
        "pass_flow": 0,
        "pass_packet": 1,
        "drop_flow": 0,
        "drop_packet": 0
      },
      "http": {
        "gap": 0,
        "alloc": 0,
        "parser": 0,
        "internal": 0,
        "exception_policy": {
          "reject": 0,
          "bypass": 0,
          "pass_flow": 0,
          "pass_packet": 0,
          "drop_flow": 0,
          "drop_packet": 0
        }
      },

app-layer -> not logging per app-proto, nor zeroes:

  "app_layer": {
    "error": {
      "exception_policy": {
        "drop_flow": 1
      },
      "tls": {
        "gap": 0,
        "alloc": 0,
        "parser": 1,
        "internal": 0
      },

app-layer-> logging per app-proto, no zeroes:

  "tls": {
    "gap": 0,
    "alloc": 0,
    "parser": 1,
    "internal": 0,
    "exception_policy": {
      "pass_packet": 1
    }
  },
  "smb": {
    "gap": 0,
    "alloc": 0,
    "parser": 0,
    "internal": 0,
    "exception_policy": {}
  },

suricata-verify-pr: OISF/suricata-verify#1617

@jufajardini
decode/flow: add exception policy stats counters
57572c7 
We will register stats counters for all policies, even though for now
Suri only uses one possible configuration policy at a time. The idea is
that this could change in the near future, so we want to have this
ready.

Task OISF#5816
@jufajardini
stream/reassemble: add exception policy counters
9f7dd8b 
Add stats counters for exception policies applied in case of memcap hit
during stream reassembly.

Task OISF#5816
@jufajardini
stream/tcp: add ssnmemcap exception policy counter
9b78a78 
Counters for exception policies applied in case a stream session memcap
is hit.

Task OISF#5816
@jufajardini
stream/midstream: add counter for exception policy
c9983a5 
Stats counters for when a session is picked up midstream and Suri
understands this as exception scenario.

Task OISF#5816
@jufajardini
exceptions/applayer: add stats counters for errors
6b069aa 
Task OISF#5816
@jufajardini
defrag: add stats counters for exception policies
a4ee217 
Add defrag memcap stats counter.

Task OISF#5816
@codecov Codecov
Copy link

codecov bot commented Jan 26, 2024

Codecov Report

Attention: 213 lines in your changes are missing coverage. Please review.

Comparison is base (c3b3c11) 82.28% compared to head (a4ee217) 82.21%.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master   #10264      +/-   ##
==========================================
- Coverage   82.28%   82.21%   -0.07%     
==========================================
  Files         977      977              
  Lines      271950   272276     +326     
==========================================
+ Hits       223784   223865      +81     
- Misses      48166    48411     +245
Flag Coverage Δ
fuzzcorpus 63.31% <27.16%> (-0.09%) ⬇️
suricata-verify 61.43% <34.87%> (-0.09%) ⬇️
unittests 62.76% <17.02%> (-0.06%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

@suricata-qa
Copy link

Information: QA ran without warnings.

Pipeline 17791

@victorjulien
Copy link
Member

scan-build:

app-layer.c: In function 'AppLayerIncrErrorExcPolicyCounter':
app-layer.c:213:9: warning: 'g_id' may be used uninitialized [-Wmaybe-uninitialized]
  213 |         StatsIncr(tv, g_id);
      |         ^~~~~~~~~~~~~~~~~~~
app-layer.c:176:14: note: 'g_id' was declared here
  176 |     uint16_t g_id;
      |              ^~~~
app-layer.c:212:27: warning: The left operand of '>' is a garbage value [core.UndefinedBinaryOperatorResult]
    if (likely(tv && g_id > 0)) {
                     ~~~~ ^
./util-optimize.h:32:42: note: expanded from macro 'likely'
#define likely(expr) __builtin_expect(!!(expr), 1)
                                         ^~~~
1 warning generated.

@jufajardini jufajardini changed the title exception/policy: add stats counters - - v3.1 exception/policy: add stats counters - v3.1 Jan 29, 2024
jufajardini
jufajardini commented Jan 29, 2024
View reviewed changes
src/app-layer.c
{
uint16_t id = 0;
/* for the summary values */
uint16_t g_id;
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Scan Build complaint is about this bit.

jufajardini
jufajardini commented Jan 29, 2024
View reviewed changes
src/output-json-stats.c
Comment on lines +233 to +235
if (strstr(st->stats[u].name, "exception_policy") != NULL) {
is_exception_policy_counter = true;
}
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This doens't look like the best way to do this. (This and what follows). Moreover, with the introduction of summary counters for App Layer error exception policy counters, maybe this isn't the best option? Not sure yet...

@jufajardini
Copy link
Contributor Author

scan-build:

app-layer.c: In function 'AppLayerIncrErrorExcPolicyCounter':
app-layer.c:213:9: warning: 'g_id' may be used uninitialized [-Wmaybe-uninitialized]
  213 |         StatsIncr(tv, g_id);
      |         ^~~~~~~~~~~~~~~~~~~
app-layer.c:176:14: note: 'g_id' was declared here
  176 |     uint16_t g_id;
      |              ^~~~
app-layer.c:212:27: warning: The left operand of '>' is a garbage value [core.UndefinedBinaryOperatorResult]
    if (likely(tv && g_id > 0)) {
                     ~~~~ ^
./util-optimize.h:32:42: note: expanded from macro 'likely'
#define likely(expr) __builtin_expect(!!(expr), 1)
                                         ^~~~
1 warning generated.

Thanks! This isn't what's causing the other issue, though.

jufajardini
jufajardini commented Jan 30, 2024
View reviewed changes
src/suricata.c
Comment on lines +2693 to +2698
int b;
int ret = ConfGetBool("stats.eps-per-app-proto-errors", &b);
if (ret) {
g_stats_eps_per_app_proto_errors = (b == 1);
}

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Probably not the best solution, but must get this config before app-layer counters setup.

jufajardini
jufajardini commented Feb 1, 2024
View reviewed changes
src/output-json-stats.c
Comment on lines +300 to +303
if (is_exception_policy_counter && st->stats[u].value == 0 &&
!stats_eps_zero_counters) {
continue;
}
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is part of what causes the address sanitizer error. Removing the wrong portion of the stats, most likely.

@jufajardini jufajardini mentioned this pull request Feb 12, 2024
Closed
@jufajardini
Copy link
Contributor Author

Followed by: #10364

@jufajardini jufajardini mentioned this pull request Feb 28, 2024
Closed
@jufajardini jufajardini deleted the 5816-excep-policy-stats/v3.1 branch April 11, 2024 18:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@victorjulien victorjulien Awaiting requested review from victorjulien victorjulien will be requested when the pull request is marked ready for review victorjulien is a code owner

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jufajardini @suricata-qa @victorjulien