detect/stats: log out total of discarded alerts

Add a counter to our stats log with the total of alerts that have been
discarded due to packet alert queue overflow.

Task #5179

src/decode.h

@@ -304,6 +304,7 @@ extern uint16_t packet_alert_max;
 
 typedef struct PacketAlerts_ {
     uint16_t cnt;
+    uint16_t discarded;
     PacketAlert *alerts;
     /* single pa used when we're dropping,
      * so we can log it out in the drop log. */
@@ -839,6 +840,7 @@ void CaptureStatsSetup(ThreadVars *tv, CaptureStats *s);
         (p)->BypassPacketsFlow = NULL;                                                             \
         (p)->pktlen = 0;                                                                           \
         (p)->alerts.cnt = 0;                                                                       \
+        (p)->alerts.discarded = 0;                                                                 \
         (p)->alerts.drop.action = 0;                                                               \
         (p)->pcap_cnt = 0;                                                                         \
         (p)->tunnel_rtv_cnt = 0;                                                                   \

src/detect-engine-alert.c

@@ -269,6 +269,7 @@ void AlertQueueAppend(DetectEngineThreadCtx *det_ctx, const Signature *s, Packet
         /* we must grow the alert queue */
         if (pos == AlertQueueExpand(det_ctx)) {
             /* this means we failed to expand the queue */
+            det_ctx->p->alerts.discarded++;
             return;
         }
     }
@@ -370,6 +371,7 @@ void PacketAlertFinalize(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx
         /* Thresholding removes this alert */
         if (res == 0 || res == 2 || (s->flags & SIG_FLAG_NOALERT)) {
             /* we will not copy this to the AlertQueue */
+            p->alerts.discarded++;
         } else if (p->alerts.cnt < packet_alert_max) {
             p->alerts.alerts[p->alerts.cnt] = det_ctx->alert_queue[i];
             SCLogDebug("Appending sid %" PRIu32 " alert to Packet::alerts at pos %u", s->id, i);
@@ -380,6 +382,8 @@ void PacketAlertFinalize(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx
                 break;
             }
             p->alerts.cnt++;
+        } else {
+            p->alerts.discarded++;
         }
         i++;
     }

src/detect-engine.c

@@ -3173,6 +3173,7 @@ TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
 
     /** alert counter setup */
     det_ctx->counter_alerts = StatsRegisterCounter("detect.alert", tv);
+    det_ctx->counter_alerts_overflow = StatsRegisterCounter("detect.alert_queue_overflow", tv);
 #ifdef PROFILING
     det_ctx->counter_mpm_list = StatsRegisterAvgCounter("detect.mpm_list", tv);
     det_ctx->counter_nonmpm_list = StatsRegisterAvgCounter("detect.nonmpm_list", tv);

src/detect.c

@@ -828,6 +828,7 @@ static DetectRunScratchpad DetectRunSetup(
 
 #ifdef UNITTESTS
     p->alerts.cnt = 0;
+    p->alerts.discarded = 0;
 #endif
     det_ctx->filestore_cnt = 0;
     det_ctx->base64_decoded_len = 0;
@@ -936,6 +937,9 @@ static inline void DetectRunPostRules(
     if (p->alerts.cnt > 0) {
         StatsAddUI64(tv, det_ctx->counter_alerts, (uint64_t)p->alerts.cnt);
     }
+    if (p->alerts.discarded > 0) {
+        StatsAddUI64(tv, det_ctx->counter_alerts_overflow, (uint64_t)p->alerts.discarded);
+    }
     PACKET_PROFILING_DETECT_END(p, PROF_DETECT_ALERT);
 }
 

src/detect.h

@@ -1094,6 +1094,8 @@ typedef struct DetectEngineThreadCtx_ {
 
     /** id for alert counter */
     uint16_t counter_alerts;
+    /** id for discarded alerts counter**/
+    uint16_t counter_alerts_overflow;
 #ifdef PROFILING
     uint16_t counter_mpm_list;
     uint16_t counter_nonmpm_list;