Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

flow/output: log triggered exception policies - v2 #12700

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

flow/output: log triggered exception policies - v2 #12700

wants to merge 3 commits into from
+277 −59

Conversation

jufajardini
Copy link
Contributor

Changes (if applicable):

  • I have updated the User Guide (in doc/userguide/) to reflect the changes made
  • I have updated the JSON schema (in etc/schema.json) to reflect all logging changes (including schema descriptions)

Link to ticket: https://redmine.openinfosecfoundation.org/issues/
https://redmine.openinfosecfoundation.org/issues/6215

Previous PR: #12683

Output sample:

"flow": {
    "pkts_toserver": 4,
    "pkts_toclient": 5,
    "bytes_toserver": 495,
    "bytes_toclient": 351,
    "start": "2016-07-13T22:42:07.199672+0000",
    "end": "2016-07-13T22:42:07.573174+0000",
    "age": 0,
    "state": "new",
    "reason": "shutdown",
    "alerted": false,
    "action": "pass",
    "exception_policy_triggered": [
      {
        "target": "stream_midstream",
        "policy": "pass_flow"
      }
    ]
  },

Describe changes:

  • change approach for logging exception policies to the flow event, now allowing for more than one triggered policy to be logged for the same flow
    -- this includes some implementation changes to accommodate that
  • incorporate feedback from previous PR
    -- this includes an attempt at rearranging the Flow struct -- used pahole to check for holes and struct size. Size remains the same as before the change, from what I could compare

Provide values to any of the below to override the defaults.

SV_BRANCH=OISF/suricata-verify#2329

@jufajardini jufajardini requested review from victorjulien and a team as code owners February 28, 2025 22:40
@jufajardini jufajardini mentioned this pull request Feb 28, 2025
Closed
2 tasks
@jufajardini
Copy link
Contributor Author

I'm not sure if the flow rearrangement will make sense for other architectures. I apologize in advance if I messed up things. Iirc, there's a less intrusive alternative that keeps the new field by the end and might also keep the same struct size as before, only with one 3 bytes hole in the last cacheline

@jufajardini
Copy link
Contributor Author

Force-pushed to fix clang-format issue, forgot to re-run the script after rearranging the struct.

@jufajardini
flow/output: log triggered exception policies
2a1d679 
To accompany the Exception Policy stats, also add information about any
Exception Policy triggered and for which target to the flow log event.

Task OISF#6215
@jufajardini
flow: rearrange flow struct for better memory use
e298277 
ExceptionPolicy-related members added to the struct led to the need to
better optimize it.

Related to
Task OISF#6215
@jufajardini
userguide/exceptions: clarify when stats are logged
167d947 
The stats for exception policies are only logged/ present when any of
the exception policies are enabled (which means any value other than
"auto" or "ignore" in IDS mode, or "ignore" in IPS mode).

This wasn't clearly stated in the docs.
@suricata-qa
Copy link

ERROR:
ERROR: SEGMENTATION FAULT in build_asan QA test

ERROR: QA failed on build_asan.

Pipeline 24944

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@victorjulien victorjulien Awaiting requested review from victorjulien victorjulien is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jufajardini @suricata-qa