stream/events: log as stats

7 years ago · 6c97909a92
parent fa06879563
commit 6c97909a92
6 changed files with 28 additions and 21 deletions
--- a/src/decode-events.c
+++ b/src/decode-events.c
@ -188,7 +188,7 @@ const struct DecodeEvents_ DEvents[] = {
    { "stream.3whs_async_wrong_seq", STREAM_3WHS_ASYNC_WRONG_SEQ, },
    { "stream.3whs_right_seq_wrong_ack_evasion", STREAM_3WHS_RIGHT_SEQ_WRONG_ACK_EVASION, },
    { "stream.3whs_synack_in_wrong_direction", STREAM_3WHS_SYNACK_IN_WRONG_DIRECTION, },
-    { "stream.3whs_synack_resend_with_different_ack", STREAM_3WHS_SYNACK_RESEND_WITH_DIFFERENT_ACK, },
+    { "stream.3whs_synack_resend_with_diff_ack", STREAM_3WHS_SYNACK_RESEND_WITH_DIFFERENT_ACK, },
    { "stream.3whs_synack_resend_with_diff_seq", STREAM_3WHS_SYNACK_RESEND_WITH_DIFF_SEQ, },
    { "stream.3whs_synack_toserver_on_syn_recv", STREAM_3WHS_SYNACK_TOSERVER_ON_SYN_RECV, },
    { "stream.3whs_synack_with_wrong_ack", STREAM_3WHS_SYNACK_WITH_WRONG_ACK, },
@ -210,7 +210,7 @@ const struct DecodeEvents_ DEvents[] = {
    { "stream.est_packet_out_of_window", STREAM_EST_PACKET_OUT_OF_WINDOW, },
    { "stream.est_pkt_before_last_ack", STREAM_EST_PKT_BEFORE_LAST_ACK, },
    { "stream.est_synack_resend", STREAM_EST_SYNACK_RESEND, },
-    { "stream.est_synack_resend_with_different_ack", STREAM_EST_SYNACK_RESEND_WITH_DIFFERENT_ACK, },
+    { "stream.est_synack_resend_with_diff_ack", STREAM_EST_SYNACK_RESEND_WITH_DIFFERENT_ACK, },
    { "stream.est_synack_resend_with_diff_seq", STREAM_EST_SYNACK_RESEND_WITH_DIFF_SEQ, },
    { "stream.est_synack_toserver", STREAM_EST_SYNACK_TOSERVER, },
    { "stream.est_syn_resend", STREAM_EST_SYN_RESEND, },
@ -231,11 +231,11 @@ const struct DecodeEvents_ DEvents[] = {
    { "stream.rst_but_no_session", STREAM_RST_BUT_NO_SESSION, },
    { "stream.timewait_ack_wrong_seq", STREAM_TIMEWAIT_ACK_WRONG_SEQ, },
    { "stream.timewait_invalid_ack", STREAM_TIMEWAIT_INVALID_ACK, },
+    { "stream.shutdown_syn_resend", STREAM_SHUTDOWN_SYN_RESEND, },
    { "stream.pkt_invalid_timestamp", STREAM_PKT_INVALID_TIMESTAMP, },
    { "stream.pkt_invalid_ack", STREAM_PKT_INVALID_ACK, },
    { "stream.pkt_broken_ack", STREAM_PKT_BROKEN_ACK, },
    { "stream.rst_invalid_ack", STREAM_RST_INVALID_ACK, },
-    { "stream.shutdown_syn_resend", STREAM_SHUTDOWN_SYN_RESEND, },
    { "stream.pkt_retransmission", STREAM_PKT_RETRANSMISSION, },
    { "stream.pkt_bad_window_update", STREAM_PKT_BAD_WINDOW_UPDATE, },

--- a/src/decode-events.h
+++ b/src/decode-events.h
@ -190,9 +190,6 @@ enum {
    /* Cisco Fabric Path/DCE events. */
    DCE_PKT_TOO_SMALL,

-    /* END OF DECODE EVENTS ON SINGLE PACKET */
-    DECODE_EVENT_PACKET_MAX,
-
    /* STREAM EVENTS */
    STREAM_3WHS_ACK_IN_WRONG_DIR,
    STREAM_3WHS_ASYNC_WRONG_SEQ,
@ -248,13 +245,12 @@ enum {
    STREAM_RST_INVALID_ACK,
    STREAM_PKT_RETRANSMISSION,
    STREAM_PKT_BAD_WINDOW_UPDATE,
+
    STREAM_SUSPECTED_RST_INJECT,

    STREAM_REASSEMBLY_SEGMENT_BEFORE_BASE_SEQ,
    STREAM_REASSEMBLY_NO_SEGMENT,
-
    STREAM_REASSEMBLY_SEQ_GAP,
-
    STREAM_REASSEMBLY_OVERLAP_DIFFERENT_DATA,

    /* should always be last! */
@ -270,6 +266,7 @@ struct DecodeEvents_ {
    const char *event_name;
    uint8_t code;
 };
-extern const struct DecodeEvents_ DEvents[DECODE_EVENT_MAX];
+/* +1 for the end of table marker */
+extern const struct DecodeEvents_ DEvents[DECODE_EVENT_MAX + 1];

 #endif /* __DECODE_EVENTS_H__ */
--- a/src/decode.c
+++ b/src/decode.c
@ -106,18 +106,18 @@ void PacketFree(Packet *p)
 * functions when decoding has been succesful.
 *
 */
-
 void PacketDecodeFinalize(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p)
 {
-
    if (p->flags & PKT_IS_INVALID) {
        StatsIncr(tv, dtv->counter_invalid);
-        int i = 0;
-        for (i = 0; i < p->events.cnt; i++) {
-            if (EVENT_IS_DECODER_PACKET_ERROR(p->events.events[i])) {
-                StatsIncr(tv, dtv->counter_invalid_events[p->events.events[i]]);
-            }
-        }
+    }
+}
+
+void PacketUpdateEngineEventCounters(ThreadVars *tv,
+        DecodeThreadVars *dtv, Packet *p)
+{
+    for (uint8_t i = 0; i < p->events.cnt; i++) {
+        StatsIncr(tv, dtv->counter_engine_events[p->events.events[i]]);
    }
 }

@ -451,10 +451,9 @@ void DecodeRegisterPerfCounters(DecodeThreadVars *dtv, ThreadVars *tv)
    dtv->counter_defrag_max_hit =
        StatsRegisterCounter("defrag.max_frag_hits", tv);

-    int i = 0;
-    for (i = 0; i < DECODE_EVENT_PACKET_MAX; i++) {
+    for (int i = 0; i < DECODE_EVENT_MAX; i++) {
        BUG_ON(i != (int)DEvents[i].code);
-        dtv->counter_invalid_events[i] = StatsRegisterCounter(
+        dtv->counter_engine_events[i] = StatsRegisterCounter(
                DEvents[i].event_name, tv);
    }

--- a/src/decode.h
+++ b/src/decode.h
@ -694,7 +694,8 @@ typedef struct DecodeThreadVars_
    uint16_t counter_flow_icmp4;
    uint16_t counter_flow_icmp6;

-     uint16_t counter_invalid_events[DECODE_EVENT_PACKET_MAX];
+    uint16_t counter_engine_events[DECODE_EVENT_MAX];
+
    /* thread data for flow logging api: only used at forced
     * flow recycle during lookups */
    void *output_flow_thread_data;
@ -915,6 +916,8 @@ void DecodeRegisterPerfCounters(DecodeThreadVars *, ThreadVars *);
 Packet *PacketGetFromQueueOrAlloc(void);
 Packet *PacketGetFromAlloc(void);
 void PacketDecodeFinalize(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p);
+void PacketUpdateEngineEventCounters(ThreadVars *tv,
+        DecodeThreadVars *dtv, Packet *p);
 void PacketFree(Packet *p);
 void PacketFreeOrRelease(Packet *p);
 int PacketCallocExtPkt(Packet *p, int datalen);
--- a/src/detect-engine-event.c
+++ b/src/detect-engine-event.c
@ -242,6 +242,12 @@ static int DetectStreamEventSetup (DetectEngineCtx *de_ctx, Signature *s, const
 {
    char srawstr[64] = "stream.";

+    if (strcmp(rawstr, "est_synack_resend_with_different_ack") == 0) {
+        rawstr = "est_synack_resend_with_diff_ack";
+    } else if (strcmp(rawstr, "3whs_synack_resend_with_different_ack") == 0) {
+        rawstr = "3whs_synack_resend_with_diff_ack";
+    }
+
    /* stream:$EVENT alias command develop as decode-event:stream.$EVENT */
    strlcat(srawstr, rawstr, sizeof(srawstr));

--- a/src/flow-worker.c
+++ b/src/flow-worker.c
@ -249,6 +249,8 @@ static TmEcode FlowWorker(ThreadVars *tv, Packet *p, void *data, PacketQueue *pr
        FLOWWORKER_PROFILING_END(p, PROFILE_FLOWWORKER_APPLAYERUDP);
    }

+    PacketUpdateEngineEventCounters(tv, fw->dtv, p);
+
    /* handle Detect */
    DEBUG_ASSERT_FLOW_LOCKED(p->flow);
    SCLogDebug("packet %"PRIu64" calling Detect", p->pcap_cnt);