Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Alert queue optimizations - v3 #7297

Closed
wants to merge 10 commits into from
Closed

Alert queue optimizations - v3 #7297

wants to merge 10 commits into from

Conversation

jufajardini
Copy link
Contributor

Previous PR: #7290

Link to redmine ticket: https://redmine.openinfosecfoundation.org/issues/4943

Describe changes:

  • rebased last PR, to have the CI checks run

suricata-verify-pr: 808
OISF/suricata-verify#808

@jufajardini
detect: add initial infrastructure for alert queue
a09825c 
Initial work to bring the alert queue processing to
DetectEngineThreadCtx.

Task OISF#4943
@jufajardini
detect: sort alert queue from det_ctx
80644cc 
Sort the PacketAlert queue that will be passed to the Packet handling
functions, so there's less work to be done with it from there.

Task OISF#4943
@jufajardini
detect/engine: use alert queue from det_ctx
2b32ca6 
Task OISF#4943
@jufajardini
detect/alert: process alert queue before appending
ae9f5ff 
Do all alert queue processing before actually appending
the PacketAlerts to the Packet's alert queue.

Task OISF#4943
@jufajardini
detect/alert: remove unused functions
fd34e27 
Since we now only copy the PacketAlerts to the Packet's queue after
processing them, we no longer do packet alert appending from
detect-engine-alert, nor do we remove PacketAlerts from the queue (if
they're discarded by overflow or thresholding, they're not copied to the
final alert queue).

Task OISF#4943
@jufajardini
decode: make packet_alert_max configurable
aa183f0 
The maximum of possible alerts triggered by a unique packet was
hardcoded to 15. With usage of 'noalert' rules, that limit could be
reached somewhat easily. Make that configurable via suricata.yaml.

Conf Bug#4941

Task OISF#4207
@jufajardini
detect/stats: log out total of discarded alerts
b66f491 
Add a counter to our stats log with the total of alerts that have been
discarded due to packet alert queue overflow.

Task OISF#5179
@jufajardini
detect/stats: log out total of suppressed alerts
284352d
@jufajardini
assorted: fix low hanging typos
29bbac4
@jufajardini
detect: update copyright years
ce3a7ae
@jufajardini jufajardini requested a review from a team as a code owner April 25, 2022 12:27
@jufajardini jufajardini mentioned this pull request Apr 25, 2022
Closed
@codecov
Copy link

codecov bot commented Apr 25, 2022

Codecov Report

Merging #7297 (ce3a7ae) into master (ddf9c9d) will decrease coverage by 0.04%.
The diff coverage is 94.56%.

@@            Coverage Diff             @@
##           master    #7297      +/-   ##
==========================================
- Coverage   75.82%   75.77%   -0.05%     
==========================================
  Files         656      656              
  Lines      190051   190091      +40     
==========================================
- Hits       144102   144049      -53     
- Misses      45949    46042      +93
Flag Coverage Δ
fuzzcorpus 60.30% <82.95%> (-0.12%) ⬇️
suricata-verify 51.53% <96.34%> (-0.01%) ⬇️
unittests 61.01% <76.82%> (-0.01%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

@victorjulien
Copy link
Member

QA on my end looks good.

jlucovsky
jlucovsky reviewed Apr 26, 2022
View reviewed changes
src/detect.c
det_ctx->alert_queue, (size_t)(sizeof(PacketAlert) * det_ctx->alert_queue_capacity));
if (tmp_queue == NULL) {
SCLogWarning(SC_ERR_MEM_ALLOC, "failed to allocate %" PRIuMAX " bytes",
(uintmax_t)(PACKET_ALERT_MAX * sizeof(PacketAlert)));
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Restore alert_queue_capcity on error return.

The size value in the message is kind of correct because you're trying to allocate an additional group of bytes of that size. However, the total allocation is sizeof(PacketAlert)* det_ctx->alert_queue_capacity

src/detect.c
{
if (det_ctx->alert_queue_size == det_ctx->alert_queue_capacity) {
/* we must grow the alert queue */
AlertQueueExpand(det_ctx);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Need to handle AlertQueueExpand failures

src/detect.c
/** \internal
* \brief sort helper for sorting alerts by priority
*
* The id field is set from Signature::num, so we have higher priority (lower ids) first
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: s/id/tx_id/

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This actually needed some rewording, thanks for making me re-read it :P

@suricata-qa
Copy link

Note: please make sure all tickets in the commits are mentioned in the PR:

Please update PR body and remove the 'needs ticket' label when done.

@suricata-qa suricata-qa added the needs ticket Needs (link to) redmine ticket label Apr 26, 2022
@jufajardini jufajardini mentioned this pull request Apr 26, 2022
Closed
@jufajardini
Copy link
Contributor Author

Followed by #7314

@jufajardini jufajardini deleted the alert-queue-det-ctx/v3 branch May 2, 2022 12:58
Nancyenos added a commit to Nancyenos/suricata that referenced this pull request Oct 19, 2024
@Nancyenos
Remove duplicate function declarations
7b374ad 
Ticket: OISF#7297
@Nancyenos Nancyenos mentioned this pull request Oct 19, 2024
Closed
2 tasks
Nancyenos added a commit to Nancyenos/suricata that referenced this pull request Oct 21, 2024
@Nancyenos
Remove duplicate function declarations
26f0fd8 
Ticket: OISF#7297
@Nancyenos Nancyenos mentioned this pull request Oct 21, 2024
Closed
2 tasks
Nancyenos added a commit to Nancyenos/suricata that referenced this pull request Oct 22, 2024
@Nancyenos
misc: Remove duplicate function declarations
aa4523f 
Ticket: OISF#7297
Nancyenos added a commit to Nancyenos/suricata that referenced this pull request Oct 23, 2024
@Nancyenos
misc: Remove duplicate function declarations
94ef040 
Ticket: OISF#7297
@Nancyenos Nancyenos mentioned this pull request Oct 23, 2024
Closed
2 tasks
Nancyenos added a commit to Nancyenos/suricata that referenced this pull request Oct 24, 2024
@Nancyenos
misc: Remove duplicate function declarations
9630205 
Ticket: OISF#7297
@Nancyenos Nancyenos mentioned this pull request Oct 24, 2024
Closed
2 tasks
victorjulien pushed a commit to victorjulien/suricata that referenced this pull request Oct 25, 2024
@Nancyenos @victorjulien
misc: Remove duplicate function declarations
a0fc2b8 
Ticket: OISF#7297
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jlucovsky jlucovsky jlucovsky left review comments

Assignees
No one assigned
Labels
needs doc update needs ticket Needs (link to) redmine ticket
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@jufajardini @victorjulien @suricata-qa @jlucovsky