suricata icon indicating copy to clipboard operation
suricata copied to clipboard

Published 20 hours ago verified publisher icon OISF

detect/threshold: implement per thread cache

Open victorjulien opened this issue 2 years ago • 6 comments

Thresholding often has 2 stages:

  1. recording matches
  2. appling an action, like suppress

E.g. with something like: threshold:type limit, count 10, seconds 3600, track by_src; the recording state is about counting 10 first hits for an IP, then followed by the "suppress" state that might last an hour.

By_src/by_dst are expensive, as they do a host table lookup and lock the host. If many threads require this access, lock contention becomes a serious problem.

This patch adds a thread local cache to avoid the synchronization overhead. When the threshold for a host enters the "apply" stage, a thread local hash entry is added. This entry knows the expiry time and the action to apply. This way the action can be applied w/o the synchronization overhead.

A rbtree is used to handle expiration.

victorjulien avatar Sep 15 '23 08:09 victorjulien

ERROR:

ERROR: QA failed on ASAN_TLPR1_suri.

Pipeline 15953

suricata-qa avatar Sep 15 '23 09:09 suricata-qa

ERROR:

ERROR: QA failed on ASAN_TLPR1_suri.

Pipeline 15955

suricata-qa avatar Sep 15 '23 09:09 suricata-qa

Codecov Report

Merging #9488 (c7093b1) into master (908f49e) will increase coverage by 0.00%. The diff coverage is 91.40%.

Additional details and impacted files 
@@           Coverage Diff            @@
##           master    #9488    +/-   ##
========================================
  Coverage   82.17%   82.17%            
========================================
  Files         968      968            
  Lines      274202   274330   +128     
========================================
+ Hits       225328   225444   +116     
- Misses      48874    48886    +12
Flag Coverage Δ
fuzzcorpus 64.02% <9.37%> (-0.05%) :arrow_down:
suricata-verify 60.84% <21.09%> (-0.03%) :arrow_down:
unittests 62.89% <91.40%> (+<0.01%) :arrow_up:

Flags with carried forward coverage won't be shown. Click here to find out more.

codecov[bot] avatar Sep 15 '23 10:09 codecov[bot]

Information: QA ran without warnings.

Pipeline 15956

suricata-qa avatar Sep 15 '23 13:09 suricata-qa

How many items do we expect the hash table and rb tree to contain in normal operation?

jasonish avatar Sep 22 '23 18:09 jasonish

Want to redo this. I think the thread local cache makes sense, but will put an additional cost on the slow path. Want to improve the slow path by moving the storage out of host/ippair, and use a dedicated table for thresholds. The advantage would be that we can key it by ip(s)+sid, so thresholds for different rules can't cause contention like they do now.

victorjulien avatar Dec 22 '23 08:12 victorjulien

Information: QA ran without warnings.

Pipeline 15956

suricata-qa avatar Feb 28 '24 14:02 suricata-qa

replaced by #10925

victorjulien avatar Apr 20 '24 09:04 victorjulien