IPS stats/v2

etc/schema.json

@@ -4013,6 +4013,72 @@
                     },
                     "additionalProperties": false
                 },
+                "ips": {
+                    "type": "object",
+                    "properties": {
+                        "accepted": {
+                            "type": "integer"
+                        },
+                        "blocked": {
+                            "type": "integer"
+                        },
+                        "rejected": {
+                            "type": "integer"
+                        },
+                        "replaced": {
+                            "type": "integer"
+                        },
+                        "drop_reason": {
+                            "type": "object",
+                            "properties": {
+                                "decode_error": {
+                                    "type": "integer"
+                                },
+                                "defrag_error": {
+                                    "type": "integer"
+                                },
+                                "defrag_memcap": {
+                                    "type": "integer"
+                                },
+                                "flow_memcap": {
+                                    "type": "integer"
+                                },
+                                "flow_drop": {
+                                    "type": "integer"
+                                },
+                                "applayer_error": {
+                                    "type": "integer"
+                                },
+                                "applayer_memcap": {
+                                    "type": "integer"
+                                },
+                                "rules": {
+                                    "type": "integer"
+                                },
+                                "threshold_detection_filter": {
+                                    "type": "integer"
+                                },
+                                "stream_error": {
+                                    "type": "integer"
+                                },
+                                "stream_memcap": {
+                                    "type": "integer"
+                                },
+                                "stream_midstream": {
+                                    "type": "integer"
+                                },
+                                "nfq_error": {
+                                    "type": "integer"
+                                },
+                                "tunnel_packet_drop": {
+                                    "type": "integer"
+                                }
+                            },
+                            "additionalProperties": false
+                        }
+                    },
+                    "additionalProperties": false
+                },
                 "decoder": {
                     "type": "object",
                     "properties": {

src/decode.c

@@ -817,14 +817,67 @@ const char *PacketDropReasonToString(enum PacketDropReason r)
         case PKT_DROP_REASON_INNER_PACKET:
             return "tunnel packet drop";
         case PKT_DROP_REASON_NOT_SET:
+        case PKT_DROP_REASON_MAX:
             return NULL;
     }
     return NULL;
 }
 
-/* TODO drop reason stats! */
-void CaptureStatsUpdate(ThreadVars *tv, CaptureStats *s, const Packet *p)
+static const char *PacketDropReasonToJsonString(enum PacketDropReason r)
 {
+    switch (r) {
+        case PKT_DROP_REASON_DECODE_ERROR:
+            return "ips.drop_reason.decode_error";
+        case PKT_DROP_REASON_DEFRAG_ERROR:
+            return "ips.drop_reason.defrag_error";
+        case PKT_DROP_REASON_DEFRAG_MEMCAP:
+            return "ips.drop_reason.defrag_memcap";
+        case PKT_DROP_REASON_FLOW_MEMCAP:
+            return "ips.drop_reason.flow_memcap";
+        case PKT_DROP_REASON_FLOW_DROP:
+            return "ips.drop_reason.flow_drop";
+        case PKT_DROP_REASON_STREAM_ERROR:
+            return "ips.drop_reason.stream_error";
+        case PKT_DROP_REASON_STREAM_MEMCAP:
+            return "ips.drop_reason.stream_memcap";
+        case PKT_DROP_REASON_STREAM_MIDSTREAM:
+            return "ips.drop_reason.stream_midstream";
+        case PKT_DROP_REASON_APPLAYER_ERROR:
+            return "ips.drop_reason.applayer_error";
+        case PKT_DROP_REASON_APPLAYER_MEMCAP:
+            return "ips.drop_reason.applayer_memcap";
+        case PKT_DROP_REASON_RULES:
+            return "ips.drop_reason.rules";
+        case PKT_DROP_REASON_RULES_THRESHOLD:
+            return "ips.drop_reason.threshold_detection_filter";
+        case PKT_DROP_REASON_NFQ_ERROR:
+            return "ips.drop_reason.nfq_error";
+        case PKT_DROP_REASON_INNER_PACKET:
+            return "ips.drop_reason.tunnel_packet_drop";
+        case PKT_DROP_REASON_NOT_SET:
+        case PKT_DROP_REASON_MAX:
+            return NULL;
+    }
+    return NULL;
+}
+
+typedef struct CaptureStats_ {
+    uint16_t counter_ips_accepted;
+    uint16_t counter_ips_blocked;
+    uint16_t counter_ips_rejected;
+    uint16_t counter_ips_replaced;
+
+    uint16_t counter_drop_reason[PKT_DROP_REASON_MAX];
+} CaptureStats;
+
+thread_local CaptureStats t_capture_stats;
+
+void CaptureStatsUpdate(ThreadVars *tv, const Packet *p)
+{
+    if (!EngineModeIsIPS() || PKT_IS_PSEUDOPKT(p))
+        return;
+
+    CaptureStats *s = &t_capture_stats;
     if (unlikely(PacketCheckAction(p, ACTION_REJECT_ANY))) {
         StatsIncr(tv, s->counter_ips_rejected);
     } else if (unlikely(PacketCheckAction(p, ACTION_DROP))) {
@@ -834,14 +887,25 @@ void CaptureStatsUpdate(ThreadVars *tv, CaptureStats *s, const Packet *p)
     } else {
         StatsIncr(tv, s->counter_ips_accepted);
     }
+    if (p->drop_reason != PKT_DROP_REASON_NOT_SET) {
+        StatsIncr(tv, s->counter_drop_reason[p->drop_reason]);
+    }
 }
 
-void CaptureStatsSetup(ThreadVars *tv, CaptureStats *s)
+void CaptureStatsSetup(ThreadVars *tv)
 {
-    s->counter_ips_accepted = StatsRegisterCounter("ips.accepted", tv);
-    s->counter_ips_blocked = StatsRegisterCounter("ips.blocked", tv);
-    s->counter_ips_rejected = StatsRegisterCounter("ips.rejected", tv);
-    s->counter_ips_replaced = StatsRegisterCounter("ips.replaced", tv);
+    if (EngineModeIsIPS()) {
+        CaptureStats *s = &t_capture_stats;
+        s->counter_ips_accepted = StatsRegisterCounter("ips.accepted", tv);
+        s->counter_ips_blocked = StatsRegisterCounter("ips.blocked", tv);
+        s->counter_ips_rejected = StatsRegisterCounter("ips.rejected", tv);
+        s->counter_ips_replaced = StatsRegisterCounter("ips.replaced", tv);
+        for (int i = PKT_DROP_REASON_NOT_SET; i < PKT_DROP_REASON_MAX; i++) {
+            const char *name = PacketDropReasonToJsonString(i);
+            if (name != NULL)
+                s->counter_drop_reason[i] = StatsRegisterCounter(name, tv);
+        }
+    }
 }
 
 void DecodeGlobalConfig(void)

src/decode.h

@@ -403,6 +403,7 @@ enum PacketDropReason {
     PKT_DROP_REASON_STREAM_MIDSTREAM,
     PKT_DROP_REASON_NFQ_ERROR,    /**< no nfq verdict, must be error */
     PKT_DROP_REASON_INNER_PACKET, /**< drop issued by inner (tunnel) packet */
+    PKT_DROP_REASON_MAX,
 };
 
 /* forward declaration since Packet struct definition requires this */
@@ -749,17 +750,8 @@ typedef struct DecodeThreadVars_
 
 } DecodeThreadVars;
 
-typedef struct CaptureStats_ {
-
-    uint16_t counter_ips_accepted;
-    uint16_t counter_ips_blocked;
-    uint16_t counter_ips_rejected;
-    uint16_t counter_ips_replaced;
-
-} CaptureStats;
-
-void CaptureStatsUpdate(ThreadVars *tv, CaptureStats *s, const Packet *p);
-void CaptureStatsSetup(ThreadVars *tv, CaptureStats *s);
+void CaptureStatsUpdate(ThreadVars *tv, const Packet *p);
+void CaptureStatsSetup(ThreadVars *tv);
 
 #define PACKET_CLEAR_L4VARS(p) do {                         \
         memset(&(p)->l4vars, 0x00, sizeof((p)->l4vars));    \

src/source-nfq.c

@@ -120,8 +120,6 @@ typedef struct NFQThreadVars_
 
     char *data; /** Per function and thread data */
     int datalen; /** Length of per function and thread data */
-
-    CaptureStats stats;
 } NFQThreadVars;
 /* shared vars for all for nfq queues and threads */
 static NFQGlobalVars nfq_g;
@@ -777,10 +775,7 @@ TmEcode ReceiveNFQThreadDeinit(ThreadVars *t, void *data)
 
 TmEcode VerdictNFQThreadInit(ThreadVars *tv, const void *initdata, void **data)
 {
-    NFQThreadVars *ntv = (NFQThreadVars *) initdata;
-
-    CaptureStatsSetup(tv, &ntv->stats);
-
+    NFQThreadVars *ntv = (NFQThreadVars *)initdata;
     *data = (void *)ntv;
     return TM_ECODE_OK;
 }
@@ -1191,10 +1186,6 @@ TmEcode NFQSetVerdict(Packet *p)
  */
 TmEcode VerdictNFQ(ThreadVars *tv, Packet *p, void *data)
 {
-    NFQThreadVars *ntv = (NFQThreadVars *)data;
-    /* update counters */
-    CaptureStatsUpdate(tv, &ntv->stats, p);
-
     /* if this is a tunnel packet we check if we are ready to verdict
      * already. */
     if (IS_TUNNEL_PKT(p)) {

src/source-windivert.c

@@ -95,7 +95,6 @@ typedef struct WinDivertThreadVars_ {
     WinDivertHandle filter_handle;
 
     int thread_num;
-    CaptureStats stats;
     int64_t qpc_start_time;
     int64_t qpc_start_count;
     int64_t qpc_freq_usec;
@@ -749,9 +748,6 @@ static TmEcode WinDivertVerdictHelper(ThreadVars *tv, Packet *p)
     SCEnter();
     WinDivertThreadVars *wd_tv = WinDivertGetThread(p->windivert_v.thread_num);
 
-    /* update counters */
-    CaptureStatsUpdate(tv, &wd_tv->stats, p);
-
 #ifdef COUNTERS
     WinDivertQueueVars *wd_qv = WinDivertGetQueue(wd_tv->thread_num);
 #endif /* COUNTERS */
@@ -822,9 +818,6 @@ TmEcode VerdictWinDivertThreadInit(ThreadVars *tv, const void *initdata,
     SCEnter();
 
     WinDivertThreadVars *wd_tv = (WinDivertThreadVars *)initdata;
-
-    CaptureStatsSetup(tv, &wd_tv->stats);
-
     *data = wd_tv;
 
     SCReturnInt(TM_ECODE_OK);

src/tm-threads.c

@@ -242,7 +242,7 @@ static void *TmThreadsSlotPktAcqLoop(void *td)
 
     /* Drop the capabilities for this thread */
     SCDropCaps(tv);
-
+    CaptureStatsSetup(tv);
     PacketPoolInit();
 
     /* check if we are setup properly */
@@ -372,6 +372,7 @@ static void *TmThreadsSlotVar(void *td)
     char run = 1;
     TmEcode r = TM_ECODE_OK;
 
+    CaptureStatsSetup(tv);
     PacketPoolInit();//Empty();
 
     SCSetThreadName(tv->name);

src/tmqh-packetpool.c

@@ -429,6 +429,9 @@ void TmqhOutputPacketpool(ThreadVars *t, Packet *p)
         SCSpinUnlock(lock);
 
         SCLogDebug("tunnel stuff done, move on (proot %d)", proot);
+
+    } else {
+        CaptureStatsUpdate(t, p);
     }
 
     SCLogDebug("[packet %p][%s] %s", p,
@@ -440,6 +443,7 @@ void TmqhOutputPacketpool(ThreadVars *t, Packet *p)
     if (proot == true) {
         SCLogDebug("getting rid of root pkt... alloc'd %s", BOOL2STR(p->root->pool == NULL));
 
+        CaptureStatsUpdate(t, p->root);
         PacketReleaseRefs(p->root);
         p->root->ReleasePacket(p->root);
         p->root = NULL;