suricata
util-profiling-prefilter.c
Go to the documentation of this file.
1/* Copyright (C) 2007-2022 Open Information Security Foundation
2 *
3 * You can copy, redistribute or modify this Program under the terms of
4 * the GNU General Public License version 2 as published by the Free
5 * Software Foundation.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * version 2 along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15 * 02110-1301, USA.
16 */
17
18/**
19 * \file
20 *
21 * \author Endace Technology Limited.
22 * \author Victor Julien <victor@inliniac.net>
23 *
24 * An API for rule profiling operations.
25 */
26
27#include "suricata-common.h"
28#include "util-profiling.h"
29
30#ifdef PROFILING
31#include "detect-engine-prefilter.h"
32#include "util-conf.h"
33#include "util-path.h"
34#include "util-time.h"
35
36typedef struct SCProfilePrefilterData_ {
37 uint64_t called;
38 uint64_t total;
39 uint64_t max;
40 uint64_t total_bytes;
41 uint64_t max_bytes;
42 uint64_t bytes_called; /**< number of times total_bytes was updated. Differs from `called` as a
43 prefilter engine may skip mpm if the smallest pattern is bigger than
44 the buffer to inspect. */
45 const char *name;
46} SCProfilePrefilterData;
47
48typedef struct SCProfilePrefilterDetectCtx_ {
49 uint32_t id;
50 uint32_t size; /**< size in elements */
51 SCProfilePrefilterData *data;
52 pthread_mutex_t data_m;
53} SCProfilePrefilterDetectCtx;
54
55static int profiling_prefilter_output_to_file = 0;
56int profiling_prefilter_enabled = 0;
57thread_local int profiling_prefilter_entered = 0;
58static char profiling_file_name[PATH_MAX];
59static const char *profiling_file_mode = "a";
60
61void SCProfilingPrefilterGlobalInit(void)
62{
63 SCConfNode *conf;
64
65 conf = SCConfGetNode("profiling.prefilter");
66 if (conf != NULL) {
67 if (SCConfNodeChildValueIsTrue(conf, "enabled")) {
68 profiling_prefilter_enabled = 1;
69 const char *filename = SCConfNodeLookupChildValue(conf, "filename");
70 if (filename != NULL) {
71 if (PathIsAbsolute(filename)) {
72 strlcpy(profiling_file_name, filename, sizeof(profiling_file_name));
73 } else {
74 const char *log_dir = SCConfigGetLogDirectory();
75 snprintf(profiling_file_name, sizeof(profiling_file_name), "%s/%s", log_dir,
76 filename);
77 }
78
79 const char *v = SCConfNodeLookupChildValue(conf, "append");
80 if (v == NULL || SCConfValIsTrue(v)) {
81 profiling_file_mode = "a";
82 } else {
83 profiling_file_mode = "w";
84 }
85
86 profiling_prefilter_output_to_file = 1;
87 }
88 }
89 }
90}
91
92static void DoDump(SCProfilePrefilterDetectCtx *rules_ctx, FILE *fp, const char *name)
93{
94 int i;
95 fprintf(fp, " ----------------------------------------------"
96 "------------------------------------------------------"
97 "----------------------------\n");
98 fprintf(fp, " Stats for: %s\n", name);
99 fprintf(fp, " ----------------------------------------------"
100 "------------------------------------------------------"
101 "----------------------------\n");
102 fprintf(fp, " %-32s %-15s %-15s %-15s %-15s %-15s %-15s %-15s %-15s %-15s\n", "Prefilter",
103 "Ticks", "Called", "Max Ticks", "Avg", "Bytes", "Called", "Max Bytes", "Avg Bytes",
104 "Ticks/Byte");
105 fprintf(fp, " -------------------------------- "
106 "--------------- "
107 "--------------- "
108 "--------------- "
109 "--------------- "
110 "--------------- "
111 "--------------- "
112 "--------------- "
113 "--------------- "
114 "--------------- "
115 "\n");
116 for (i = 0; i < (int)rules_ctx->size; i++) {
117 SCProfilePrefilterData *d = &rules_ctx->data[i];
118 if (d == NULL || d->called== 0)
119 continue;
120
121 uint64_t ticks = d->total;
122 double avgticks = 0;
123 if (ticks && d->called) {
124 avgticks = (double)(ticks / d->called);
125 }
126 double avgbytes = 0;
127 if (d->total_bytes && d->bytes_called) {
128 avgbytes = (double)(d->total_bytes / d->bytes_called);
129 }
130 double ticks_per_byte = 0;
131 if (ticks && d->total_bytes) {
132 ticks_per_byte = (double)(ticks / d->total_bytes);
133 }
134
135 fprintf(fp,
136 " %-32s %-15" PRIu64 " %-15" PRIu64 " %-15" PRIu64 " %-15.2f %-15" PRIu64
137 " %-15" PRIu64 " %-15" PRIu64 " %-15.2f %-15.2f\n",
138 d->name, ticks, d->called, d->max, avgticks, d->total_bytes, d->bytes_called,
139 d->max_bytes, avgbytes, ticks_per_byte);
140 }
141}
142
143static void
144SCProfilingPrefilterDump(DetectEngineCtx *de_ctx)
145{
146 FILE *fp;
147 struct timeval tval;
148 struct tm *tms;
149 struct tm local_tm;
150
151 if (profiling_prefilter_enabled == 0 || de_ctx->profile_prefilter_ctx == NULL)
152 return;
153
154 gettimeofday(&tval, NULL);
155 tms = SCLocalTime(tval.tv_sec, &local_tm);
156
157 if (profiling_prefilter_output_to_file == 1) {
158 SCLogDebug("file %s mode %s", profiling_file_name, profiling_file_mode);
159
160 fp = fopen(profiling_file_name, profiling_file_mode);
161
162 if (fp == NULL) {
163 SCLogError("failed to open %s: %s", profiling_file_name, strerror(errno));
164 return;
165 }
166 } else {
167 fp = stdout;
168 }
169
170 fprintf(fp, " ----------------------------------------------"
171 "------------------------------------------------------"
172 "----------------------------\n");
173 fprintf(fp, " Date: %" PRId32 "/%" PRId32 "/%04d -- "
174 "%02d:%02d:%02d\n", tms->tm_mon + 1, tms->tm_mday, tms->tm_year + 1900,
175 tms->tm_hour,tms->tm_min, tms->tm_sec);
176
177 /* global stats first */
178 DoDump(de_ctx->profile_prefilter_ctx, fp, "total");
179
180 fprintf(fp,"\n");
181 if (fp != stdout)
182 fclose(fp);
183
184 SCLogPerf("Done dumping prefilter profiling data.");
185}
186
187/**
188 * \brief Update a rule counter.
189 *
190 * \param id The ID of this counter.
191 * \param ticks Number of CPU ticks for this rule.
192 * \param match Did the rule match?
193 */
194void SCProfilingPrefilterUpdateCounter(DetectEngineThreadCtx *det_ctx, int id, uint64_t ticks,
195 uint64_t bytes, uint64_t bytes_called)
196{
197 if (det_ctx != NULL && det_ctx->prefilter_perf_data != NULL &&
198 id < (int)det_ctx->de_ctx->prefilter_id)
199 {
200 SCProfilePrefilterData *p = &det_ctx->prefilter_perf_data[id];
201
202 p->called++;
203 if (ticks > p->max)
204 p->max = ticks;
205 p->total += ticks;
206
207 p->bytes_called += bytes_called;
208 if (bytes > p->max_bytes)
209 p->max_bytes = bytes;
210 p->total_bytes += bytes;
211 }
212}
213
214static SCProfilePrefilterDetectCtx *SCProfilingPrefilterInitCtx(void)
215{
216 SCProfilePrefilterDetectCtx *ctx = SCCalloc(1, sizeof(SCProfilePrefilterDetectCtx));
217 if (ctx != NULL) {
218 if (pthread_mutex_init(&ctx->data_m, NULL) != 0) {
219 FatalError("Failed to initialize hash table mutex.");
220 }
221 }
222
223 return ctx;
224}
225
226static void DetroyCtx(SCProfilePrefilterDetectCtx *ctx)
227{
228 if (ctx) {
229 if (ctx->data != NULL)
230 SCFree(ctx->data);
231 pthread_mutex_destroy(&ctx->data_m);
232 SCFree(ctx);
233 }
234}
235
236void SCProfilingPrefilterDestroyCtx(DetectEngineCtx *de_ctx)
237{
238 if (de_ctx != NULL) {
239 SCProfilingPrefilterDump(de_ctx);
240
241 DetroyCtx(de_ctx->profile_prefilter_ctx);
242 }
243}
244
245void SCProfilingPrefilterThreadSetup(SCProfilePrefilterDetectCtx *ctx, DetectEngineThreadCtx *det_ctx)
246{
247 if (ctx == NULL)
248 return;
249
250 const uint32_t size = det_ctx->de_ctx->prefilter_id;
251
252 SCProfilePrefilterData *a = SCCalloc(1, sizeof(SCProfilePrefilterData) * size);
253 if (a != NULL) {
254 det_ctx->prefilter_perf_data = a;
255 }
256}
257
258static void SCProfilingPrefilterThreadMerge(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx)
259{
260 if (de_ctx == NULL || de_ctx->profile_prefilter_ctx == NULL ||
261 de_ctx->profile_prefilter_ctx->data == NULL || det_ctx == NULL ||
262 det_ctx->prefilter_perf_data == NULL)
263 return;
264
265 for (uint32_t i = 0; i < de_ctx->prefilter_id; i++) {
266 de_ctx->profile_prefilter_ctx->data[i].called += det_ctx->prefilter_perf_data[i].called;
267 de_ctx->profile_prefilter_ctx->data[i].total += det_ctx->prefilter_perf_data[i].total;
268 if (det_ctx->prefilter_perf_data[i].max > de_ctx->profile_prefilter_ctx->data[i].max)
269 de_ctx->profile_prefilter_ctx->data[i].max = det_ctx->prefilter_perf_data[i].max;
270 de_ctx->profile_prefilter_ctx->data[i].total_bytes +=
271 det_ctx->prefilter_perf_data[i].total_bytes;
272 if (det_ctx->prefilter_perf_data[i].max_bytes >
273 de_ctx->profile_prefilter_ctx->data[i].max_bytes)
274 de_ctx->profile_prefilter_ctx->data[i].max_bytes =
275 det_ctx->prefilter_perf_data[i].max_bytes;
276 de_ctx->profile_prefilter_ctx->data[i].bytes_called +=
277 det_ctx->prefilter_perf_data[i].bytes_called;
278 }
279}
280
281void SCProfilingPrefilterThreadCleanup(DetectEngineThreadCtx *det_ctx)
282{
283 if (det_ctx == NULL || det_ctx->de_ctx == NULL || det_ctx->prefilter_perf_data == NULL)
284 return;
285
286 pthread_mutex_lock(&det_ctx->de_ctx->profile_prefilter_ctx->data_m);
287 SCProfilingPrefilterThreadMerge(det_ctx->de_ctx, det_ctx);
288 pthread_mutex_unlock(&det_ctx->de_ctx->profile_prefilter_ctx->data_m);
289
290 SCFree(det_ctx->prefilter_perf_data);
291 det_ctx->prefilter_perf_data = NULL;
292}
293
294/**
295 * \brief Register the prefilter profiling counters.
296 *
297 * \param de_ctx The active DetectEngineCtx, used to get at the loaded rules.
298 */
299void
300SCProfilingPrefilterInitCounters(DetectEngineCtx *de_ctx)
301{
302 if (profiling_prefilter_enabled == 0)
303 return;
304
305 const uint32_t size = de_ctx->prefilter_id;
306 if (size == 0)
307 return;
308
309 de_ctx->profile_prefilter_ctx = SCProfilingPrefilterInitCtx();
310 BUG_ON(de_ctx->profile_prefilter_ctx == NULL);
311 de_ctx->profile_prefilter_ctx->size = size;
312
313 de_ctx->profile_prefilter_ctx->data = SCCalloc(1, sizeof(SCProfilePrefilterData) * size);
314 BUG_ON(de_ctx->profile_prefilter_ctx->data == NULL);
315
316 HashListTableBucket *hb = HashListTableGetListHead(de_ctx->prefilter_hash_table);
317 for ( ; hb != NULL; hb = HashListTableGetListNext(hb)) {
318 PrefilterStore *ctx = HashListTableGetListData(hb);
319 de_ctx->profile_prefilter_ctx->data[ctx->id].name = ctx->name;
320 SCLogDebug("prefilter %s set up", de_ctx->profile_prefilter_ctx->data[ctx->id].name);
321 }
322 SCLogDebug("size alloc'd %u", (uint32_t)size * (uint32_t)sizeof(SCProfilePrefilterData));
323
324 SCLogPerf("Registered %"PRIu32" prefilter profiling counters.", size);
325}
326
327#endif /* PROFILING */
SCConfGetNode
SCConfNode * SCConfGetNode(const char *name)
Get a SCConfNode by name.
Definition conf.c:181
SCConfNodeChildValueIsTrue
int SCConfNodeChildValueIsTrue(const SCConfNode *node, const char *key)
Test if a configuration node has a true value.
Definition conf.c:868
SCConfValIsTrue
int SCConfValIsTrue(const char *val)
Check if a value is true.
Definition conf.c:551
SCConfNodeLookupChildValue
const char * SCConfNodeLookupChildValue(const SCConfNode *node, const char *name)
Lookup the value of a child configuration node by name.
Definition conf.c:824
id
uint32_t id
Definition detect-flowbits.c:938
de_ctx
DetectEngineCtx * de_ctx
Definition fuzz_siginit.c:18
ctx
struct Thresholds ctx
DetectEngineCtx_
main detection engine ctx
Definition detect.h:932
DetectEngineCtx_::prefilter_hash_table
HashListTable * prefilter_hash_table
Definition detect.h:1096
DetectEngineCtx_::prefilter_id
uint32_t prefilter_id
Definition detect.h:1095
DetectEngineCtx_::profile_prefilter_ctx
struct SCProfilePrefilterDetectCtx_ * profile_prefilter_ctx
Definition detect.h:1046
DetectEngineThreadCtx_
Definition detect.h:1244
DetectEngineThreadCtx_::prefilter_perf_data
struct SCProfilePrefilterData_ * prefilter_perf_data
Definition detect.h:1409
DetectEngineThreadCtx_::de_ctx
DetectEngineCtx * de_ctx
Definition detect.h:1364
HashListTableBucket_
Definition util-hashlist.h:28
PrefilterStore_
Definition detect-engine-prefilter.h:47
SCConfNode_
Definition conf.h:37
SCProfilePrefilterData_
Definition util-profiling-prefilter.c:36
SCProfilePrefilterData_::bytes_called
uint64_t bytes_called
Definition util-profiling-prefilter.c:42
SCProfilePrefilterData_::total_bytes
uint64_t total_bytes
Definition util-profiling-prefilter.c:40
SCProfilePrefilterData_::max_bytes
uint64_t max_bytes
Definition util-profiling-prefilter.c:41
SCProfilePrefilterData_::name
const char * name
Definition util-profiling-prefilter.c:45
SCProfilePrefilterData_::max
uint64_t max
Definition util-profiling-prefilter.c:39
SCProfilePrefilterData_::total
uint64_t total
Definition util-profiling-prefilter.c:38
SCProfilePrefilterData_::called
uint64_t called
Definition util-profiling-prefilter.c:37
SCProfilePrefilterDetectCtx_
Definition util-profiling-prefilter.c:48
SCProfilePrefilterDetectCtx_::data_m
pthread_mutex_t data_m
Definition util-profiling-prefilter.c:52
SCProfilePrefilterDetectCtx_::size
uint32_t size
Definition util-profiling-prefilter.c:50
SCProfilePrefilterDetectCtx_::data
SCProfilePrefilterData * data
Definition util-profiling-prefilter.c:51
SCProfilePrefilterDetectCtx_::id
uint32_t id
Definition util-profiling-prefilter.c:49
BUG_ON
#define BUG_ON(x)
Definition suricata-common.h:317
strlcpy
size_t strlcpy(char *dst, const char *src, size_t siz)
Definition util-strlcpyu.c:43
name
const char * name
Definition tm-threads.c:2163
SCConfigGetLogDirectory
const char * SCConfigGetLogDirectory(void)
Definition util-conf.c:38
FatalError
#define FatalError(...)
Definition util-debug.h:510
SCLogPerf
#define SCLogPerf(...)
Definition util-debug.h:234
SCLogDebug
#define SCLogDebug(...)
Definition util-debug.h:275
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition util-debug.h:267
HashListTableGetListHead
HashListTableBucket * HashListTableGetListHead(HashListTable *ht)
Definition util-hashlist.c:287
HashListTableGetListData
#define HashListTableGetListData(hb)
Definition util-hashlist.h:56
HashListTableGetListNext
#define HashListTableGetListNext(hb)
Definition util-hashlist.h:55
SCFree
#define SCFree(p)
Definition util-mem.h:61
SCCalloc
#define SCCalloc(nm, sz)
Definition util-mem.h:53
PathIsAbsolute
int PathIsAbsolute(const char *path)
Check if a path is absolute.
Definition util-path.c:44
SCProfilingPrefilterInitCounters
void SCProfilingPrefilterInitCounters(DetectEngineCtx *de_ctx)
Register the prefilter profiling counters.
Definition util-profiling-prefilter.c:300
SCProfilingPrefilterUpdateCounter
void SCProfilingPrefilterUpdateCounter(DetectEngineThreadCtx *det_ctx, int id, uint64_t ticks, uint64_t bytes, uint64_t bytes_called)
Update a rule counter.
Definition util-profiling-prefilter.c:194
SCProfilePrefilterDetectCtx
struct SCProfilePrefilterDetectCtx_ SCProfilePrefilterDetectCtx
profiling_prefilter_enabled
int profiling_prefilter_enabled
Definition util-profiling-prefilter.c:56
SCProfilingPrefilterThreadCleanup
void SCProfilingPrefilterThreadCleanup(DetectEngineThreadCtx *det_ctx)
Definition util-profiling-prefilter.c:281
SCProfilingPrefilterThreadSetup
void SCProfilingPrefilterThreadSetup(SCProfilePrefilterDetectCtx *ctx, DetectEngineThreadCtx *det_ctx)
Definition util-profiling-prefilter.c:245
profiling_prefilter_entered
thread_local int profiling_prefilter_entered
Definition util-profiling-prefilter.c:57
SCProfilePrefilterData
struct SCProfilePrefilterData_ SCProfilePrefilterData
SCProfilingPrefilterGlobalInit
void SCProfilingPrefilterGlobalInit(void)
Definition util-profiling-prefilter.c:61
SCProfilingPrefilterDestroyCtx
void SCProfilingPrefilterDestroyCtx(DetectEngineCtx *de_ctx)
Definition util-profiling-prefilter.c:236
SCLocalTime
struct tm * SCLocalTime(time_t timep, struct tm *result)
Definition util-time.c:267