eve/drop: log drop reason

Ticket: #5202.
3 years ago · 0035673208
parent 55fb2d5d2d
commit 0035673208
7 changed files with 76 additions and 11 deletions
--- a/etc/schema.json
+++ b/etc/schema.json
@ -1088,6 +1088,9 @@
                },
                "urg": {
                    "type": "boolean"
+                },
+                "reason": {
+                    "type": "string"
                }
            },
            "additionalProperties": false
--- a/src/decode.c
+++ b/src/decode.c
@ -768,6 +768,38 @@ const char *PktSrcToString(enum PktSrcEnum pkt_src)
    return pkt_src_str;
 }

+const char *PacketDropReasonToString(enum PacketDropReason r)
+{
+    switch (r) {
+        case PKT_DROP_REASON_DECODE_ERROR:
+            return "decode error";
+        case PKT_DROP_REASON_DEFRAG_ERROR:
+            return "defrag error";
+        case PKT_DROP_REASON_DEFRAG_MEMCAP:
+            return "defrag memcap";
+        case PKT_DROP_REASON_FLOW_MEMCAP:
+            return "flow memcap";
+        case PKT_DROP_REASON_FLOW_DROP:
+            return "flow drop";
+        case PKT_DROP_REASON_STREAM_ERROR:
+            return "stream error";
+        case PKT_DROP_REASON_STREAM_MEMCAP:
+            return "stream memcap";
+        case PKT_DROP_REASON_APPLAYER_ERROR:
+            return "applayer error";
+        case PKT_DROP_REASON_APPLAYER_MEMCAP:
+            return "applayer memcap";
+        case PKT_DROP_REASON_RULES:
+            return "rules";
+        case PKT_DROP_REASON_RULES_THRESHOLD:
+            return "threshold detection_filter";
+        case PKT_DROP_REASON_NOT_SET:
+        default:
+            return NULL;
+    }
+}
+
+/* TODO drop reason stats! */
 void CaptureStatsUpdate(ThreadVars *tv, CaptureStats *s, const Packet *p)
 {
    if (unlikely(PacketTestAction(p, (ACTION_REJECT | ACTION_REJECT_DST | ACTION_REJECT_BOTH)))) {
--- a/src/decode.h
+++ b/src/decode.h
@ -404,6 +404,21 @@ typedef struct PktProfiling_ {

 #endif /* PROFILING */

+enum PacketDropReason {
+    PKT_DROP_REASON_NOT_SET = 0,
+    PKT_DROP_REASON_DECODE_ERROR,
+    PKT_DROP_REASON_DEFRAG_ERROR,
+    PKT_DROP_REASON_DEFRAG_MEMCAP,
+    PKT_DROP_REASON_FLOW_MEMCAP,
+    PKT_DROP_REASON_FLOW_DROP,
+    PKT_DROP_REASON_STREAM_ERROR,
+    PKT_DROP_REASON_STREAM_MEMCAP,
+    PKT_DROP_REASON_APPLAYER_ERROR,
+    PKT_DROP_REASON_APPLAYER_MEMCAP,
+    PKT_DROP_REASON_RULES,
+    PKT_DROP_REASON_RULES_THRESHOLD, /**< detection_filter in action */
+};
+
 /* forward declaration since Packet struct definition requires this */
 struct PacketQueue_;

@ -600,6 +615,14 @@ typedef struct Packet_
    /** data linktype in host order */
    int datalink;

+    /* count decoded layers of packet : too many layers
+     * cause issues with performance and stability (stack exhaustion)
+     */
+    uint8_t nb_decoded_layers;
+
+    /* enum PacketDropReason::PKT_DROP_REASON_* as uint8_t for compactness */
+    uint8_t drop_reason;
+
    /* tunnel/encapsulation handling */
    struct Packet_ *root; /* in case of tunnel this is a ptr
                           * to the 'real' packet, the one we
@ -625,11 +648,6 @@ typedef struct Packet_
     */
    struct PktPool_ *pool;

-    /* count decoded layers of packet : too many layers
-     * cause issues with performance and stability (stack exhaustion)
-     */
-    uint8_t nb_decoded_layers;
-
 #ifdef PROFILING
    PktProfiling *profile;
 #endif
@ -802,6 +820,7 @@ void CaptureStatsSetup(ThreadVars *tv, CaptureStats *s);
        (p)->ts.tv_sec = 0;                                                                        \
        (p)->ts.tv_usec = 0;                                                                       \
        (p)->datalink = 0;                                                                         \
+        (p)->drop_reason = 0;                                                                      \
        (p)->action = 0;                                                                           \
        if ((p)->pktvar != NULL) {                                                                 \
            PktVarFree((p)->pktvar);                                                               \
@ -899,8 +918,6 @@ static inline void PacketSetAction(Packet *p, const uint8_t a)

 #define PACKET_ACCEPT(p) PACKET_SET_ACTION(p, ACTION_ACCEPT)

-#define PACKET_DROP(p) PACKET_SET_ACTION(p, ACTION_DROP)
-
 #define PACKET_REJECT(p) PACKET_SET_ACTION(p, (ACTION_REJECT|ACTION_DROP))

 #define PACKET_REJECT_DST(p) PACKET_SET_ACTION(p, (ACTION_REJECT_DST|ACTION_DROP))
@ -911,6 +928,14 @@ static inline void PacketSetAction(Packet *p, const uint8_t a)

 #define PACKET_TEST_ACTION(p, a) (p)->action &(a)

+static inline void PacketDrop(Packet *p, enum PacketDropReason r)
+{
+    if (p->drop_reason == PKT_DROP_REASON_NOT_SET)
+        p->drop_reason = (uint8_t)r;
+
+    PACKET_SET_ACTION(p, ACTION_DROP);
+}
+
 static inline uint8_t PacketTestAction(const Packet *p, const uint8_t a)
 {
    if (likely(p->root == NULL)) {
@ -988,6 +1013,7 @@ DecodeThreadVars *DecodeThreadVarsAlloc(ThreadVars *);
 void DecodeThreadVarsFree(ThreadVars *, DecodeThreadVars *);
 void DecodeUpdatePacketCounters(ThreadVars *tv,
                                const DecodeThreadVars *dtv, const Packet *p);
+const char *PacketDropReasonToString(enum PacketDropReason r);

 /* decoder functions */
 int DecodeEthernet(ThreadVars *, DecodeThreadVars *, Packet *, const uint8_t *, uint32_t);
--- a/src/detect-engine-threshold.c
+++ b/src/detect-engine-threshold.c
@ -299,7 +299,7 @@ static inline void RateFilterSetAction(Packet *p, PacketAlert *pa, uint8_t new_a
            pa->flags |= PACKET_ALERT_RATE_FILTER_MODIFIED;
            break;
        case TH_ACTION_DROP:
-            PACKET_DROP(p);
+            PacketDrop(p, PKT_DROP_REASON_RULES_THRESHOLD);
            pa->flags |= PACKET_ALERT_RATE_FILTER_MODIFIED;
            break;
        case TH_ACTION_REJECT:
--- a/src/detect.c
+++ b/src/detect.c
@ -1688,7 +1688,7 @@ static void DetectFlow(ThreadVars *tv,

    /* if flow is set to drop, we enforce that here */
    if (p->flow->flags & FLOW_ACTION_DROP) {
-        PACKET_DROP(p);
+        PacketDrop(p, PKT_DROP_REASON_FLOW_DROP);
        SCReturn;
    }

--- a/src/output-json-drop.c
+++ b/src/output-json-drop.c
@ -140,6 +140,10 @@ static int DropLogJSON (JsonDropLogThread *aft, const Packet *p)
            }
            break;
    }
+    if (p->drop_reason != 0) {
+        const char *str = PacketDropReasonToString(p->drop_reason);
+        jb_set_string(js, "reason", str);
+    }

    /* Close drop. */
    jb_close(js);
--- a/src/stream-tcp.c
+++ b/src/stream-tcp.c
@ -4929,7 +4929,7 @@ int StreamTcpPacket (ThreadVars *tv, Packet *p, StreamTcpThread *stt,
        FlowSetNoPacketInspectionFlag(p->flow);
        DecodeSetNoPacketInspectionFlag(p);
        StreamTcpDisableAppLayer(p->flow);
-        PACKET_DROP(p);
+        PacketDrop(p, PKT_DROP_REASON_FLOW_DROP);
        /* return the segments to the pool */
        StreamTcpSessionPktFree(p);
        SCReturnInt(0);
@ -5097,7 +5097,7 @@ error:
         * anyway. Doesn't disable all detection, so we can still
         * match on the stream event that was set. */
        DecodeSetNoPayloadInspectionFlag(p);
-        PACKET_DROP(p);
+        PacketDrop(p, PKT_DROP_REASON_STREAM_ERROR);
    }
    SCReturnInt(-1);
 }