suricata icon indicating copy to clipboard operation
suricata copied to clipboard

Published 20 hours ago verified publisher icon OISF

profiling/rules: Improve dynamic rule handling

Open jlucovsky opened this issue 11 months ago • 3 comments

7.0.x backport of issue: 6861

Without this commit, disabling rule profiling via suricatasc's command 'ruleset-profile-stop' may crash because profiling_rules_entered becomes negative.

This can happen because

  • There can be multiple rules evaluated for a single packet
  • Each rule is profiled individually.
  • Starting profiling is gated by a configuration setting and rule profiling being active
  • Ending profiling is gated by the same configuration setting and whether the packet was marked as profiling.

The crash can occur when a rule is being profiled and rule profiling is then disabled after one at least one rule was profiled for the packet (which marks the packet as being profiled).

In this scenario, the value of profiling_rules_entered was not incremented so the BUG_ON in the end profiling macro trips because it is 0.

The changes to fix the problem are:

  • In the profiling end macro, gate the actions taken there by the same configuration setting and use the profiling_rues_entered (instead of the per-packet profiling flag). Since the start and end macros are tightly coupled, this will permit profiling to "finish" if started.
  • Modify SCProfileRuleStart to only check the sampling values if the packet hasn't been marked for profiling already. This change makes all rules for a packet (once selected) to be profiled (without this change sampling is applied to each rule that applies to the packet.

(cherry picked from commit bf5cfd6ab7c728125c09c1ee5fb36c4906dc02ea)

Link to redmine ticket: 6862

Describe changes:

  • Backport of [6861](https://redmine.openinfosecfoundation.org/issues/6861]

Provide values to any of the below to override the defaults.

To use a pull request use a branch name like pr/N where N is the pull request number.

Alternatively, SV_BRANCH may also be a link to an OISF/suricata-verify pull-request.

SV_REPO=
SV_BRANCH=
SU_REPO=
SU_BRANCH=
LIBHTP_REPO=
LIBHTP_BRANCH=

jlucovsky avatar Mar 20 '24 12:03 jlucovsky

Codecov Report

All modified and coverable lines are covered by tests :white_check_mark:

Project coverage is 82.43%. Comparing base (d8bad3b) to head (2dfde7b).

Additional details and impacted files 
@@              Coverage Diff               @@
##           main-7.0.x   #10678      +/-   ##
==============================================
- Coverage       82.45%   82.43%   -0.03%     
==============================================
  Files             976      976              
  Lines          275062   275062              
==============================================
- Hits           226803   226737      -66     
- Misses          48259    48325      +66
Flag Coverage Δ
fuzzcorpus 63.61% <ø> (-0.15%) :arrow_down:
suricata-verify 61.64% <ø> (+<0.01%) :arrow_up:
unittests 62.89% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

codecov[bot] avatar Mar 20 '24 12:03 codecov[bot]

WARNING:

field baseline test %
SURI_TLPR1_stats_chk
.tcp.pseudo 2810 19624 698.36%

Pipeline 19645

suricata-qa avatar Mar 20 '24 14:03 suricata-qa

ping @victorjulien on old approved PR, what is your status on this ?

catenacyber avatar Apr 30 '24 09:04 catenacyber

Merged in #11135, thanks!

victorjulien avatar May 24 '24 04:05 victorjulien