sqreen 1.20.0-java → 1.21.1-java

data/lib/sqreen/rules/blacklist_ips_cb.rb

@@ -33,7 +33,7 @@ module Sqreen
       private
 
       def insert_values(ranges)
-        Sqreen.log.info 'no ips given for IP blacklisting' if ranges.empty?
+        Sqreen.log.debug 'no ips given for IP blacklisting' if ranges.empty?
 
         ranges.map { |r| Prefix.from_str(r, r) }.each do |prefix|
           trie_for(prefix).insert prefix
@@ -50,7 +50,7 @@ module Sqreen
         begin
           ipa = IPAddr.new(rip)
         rescue StandardError
-          Sqreen.log.info "invalid IP address given by framework: #{rip}"
+          Sqreen.log.debug "invalid IP address given by framework: #{rip}"
           return nil
         end
 

data/lib/sqreen/rules/custom_error_cb.rb

@@ -55,12 +55,12 @@ module Sqreen
       end
 
       def respond_page
-        page = open(File.join(File.dirname(__FILE__), '../attack_detected.html'))
+        @page ||= File.open(File.join(File.dirname(__FILE__), '../attack_detected.html'), 'rb', &:read)
         headers = {
           'Content-Type' => 'text/html',
-          'Content-Length' => page.size.to_s,
+          'Content-Length' => @page.size.to_s,
         }
-        [@status_code, headers, page]
+        [@status_code, headers, [@page]]
       end
     end
   end

data/lib/sqreen/rules/rule_cb.rb

@@ -3,6 +3,7 @@
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 
+require 'sqreen/deprecation'
 require 'sqreen/framework_cb'
 require 'sqreen/context'
 require 'sqreen/conditionable'
@@ -109,6 +110,7 @@ module Sqreen
         )
         true
       end
+      Sqreen::Deprecation.deprecate(instance_method(:overtime!))
     end
   end
 end

data/lib/sqreen/rules/waf_cb.rb

@@ -11,7 +11,7 @@ require 'sqreen/safe_json'
 require 'sqreen/exception'
 require 'sqreen/util/capper'
 require 'sqreen/dependency/libsqreen'
-require 'sqreen/encoding_sanitizer'
+require 'sqreen/kit/string_sanitizer'
 
 module Sqreen
   module Rules
@@ -60,7 +60,7 @@ module Sqreen
         end
 
         # 0 for using defaults (PW_RUN_TIMEOUT)
-        @max_run_budget_us = (@data['values'].fetch('budget_in_ms', 0) * 1000).to_i
+        @max_run_budget_us = (@data['values'].fetch('max_budget_ms', 0) * 1000).to_i
         @max_run_budget_us = INFINITE_BUDGET_US if @max_run_budget_us >= INFINITE_BUDGET_US
 
         Sqreen.log.debug { "Max WAF run budget for #{@waf_rule_name} set to #{@max_run_budget_us} us" }
@@ -82,7 +82,7 @@ module Sqreen
         waf_args = binding_accessors.each_with_object({}) do |(e, b), h|
           h[e] = capper.call(b.resolve(*env))
         end
-        waf_args = Sqreen::EncodingSanitizer.sanitize(waf_args)
+        waf_args = Sqreen::Kit::StringSanitizer.sanitize(waf_args)
 
         if budget
           rem_budget_s = budget - (Sqreen.time - start)

data/lib/sqreen/runner.rb

@@ -11,19 +11,23 @@ require 'sqreen/events/attack'
 
 require 'sqreen/log'
 
+require 'sqreen/agent_message'
 require 'sqreen/rules'
 require 'sqreen/session'
+require 'sqreen/version'
 require 'sqreen/remote_command'
 require 'sqreen/capped_queue'
 require 'sqreen/metrics_store'
 require 'sqreen/deliveries/simple'
 require 'sqreen/deliveries/batch'
+require 'sqreen/endpoint_testing'
 require 'sqreen/performance_notifications/metrics'
 require 'sqreen/performance_notifications/binned_metrics'
 require 'sqreen/legacy/instrumentation'
 require 'sqreen/call_countable'
 require 'sqreen/weave/legacy/instrumentation'
 require 'sqreen/kit/configuration'
+require 'sqreen/ecosystem_integration'
 
 module Sqreen
   @features = {}
@@ -50,10 +54,6 @@ module Sqreen
       @queue ||= CappedQueue.new(MAX_QUEUE_LENGTH)
     end
 
-    def update_queue(queue)
-      @queue = queue
-    end
-
     def observations_queue
       @observations_queue ||= CappedQueue.new(MAX_OBS_QUEUE_LENGTH)
     end
@@ -102,8 +102,8 @@ module Sqreen
     # we may want to do that in a thread in order to prevent delaying app
     # startup
     # set_at_exit do not place a global at_exit (used for testing)
+    # @param [Sqreen::Frameworks::GenericFramework] framework
     def initialize(configuration, framework, set_at_exit = true, session_class = Sqreen::Session)
-      Sqreen.update_queue(CappedQueue.new(MAX_QUEUE_LENGTH))
       @logged_out_tried = false
       @configuration = configuration
       @framework = framework
@@ -113,19 +113,24 @@ module Sqreen
       @next_metrics = []
       @running = true
 
+      @proxy_url = @configuration.get(:proxy_url)
+      chosen_endpoints = determine_endpoints
+
       @token = @configuration.get(:token)
       @app_name = @configuration.get(:app_name)
-      @url = @configuration.get(:url)
-      @proxy_url = @configuration.get(:proxy_url)
+      @url = chosen_endpoints.control.url
+      @cert_store = chosen_endpoints.control.ca_store
+
       Sqreen.update_whitelisted_paths([])
       Sqreen.update_whitelisted_ips({})
       Sqreen.update_performance_budget(nil)
-      raise(Sqreen::Exception, 'no url found') unless @url
       raise(Sqreen::TokenNotFoundException, 'no token found') unless @token
 
       Sqreen::Kit::Configuration.logger = Sqreen.log
-      Sqreen::Kit::Configuration.ingestion_url = @configuration.get(:ingestion_url)
-      Sqreen::Kit::Configuration.proxy_url = @configuration.get(:proxy_url)
+      Sqreen::Kit::Configuration.ingestion_url = chosen_endpoints.ingestion.url
+      Sqreen::Kit::Configuration.certificate_store = chosen_endpoints.ingestion.ca_store
+      Sqreen::Kit::Configuration.proxy_url = @proxy_url
+      Sqreen::Kit::Configuration.default_source = "sqreen:agent:ruby:#{Sqreen::VERSION}"
 
       register_exit_cb if set_at_exit
 
@@ -143,6 +148,7 @@ module Sqreen
 
       Sqreen.log.debug "Using token #{@token}"
       response = create_session(session_class)
+      post_endpoint_testing_msgs(chosen_endpoints)
       wanted_features = response.fetch('features', {})
       conf_initial_features = configuration.get(:initial_features)
       unless conf_initial_features.nil?
@@ -155,12 +161,16 @@ module Sqreen
           wanted_features = wanted_features.merge(conf_features)
         rescue
           Sqreen.log.warn do
-            "NOT using invalid inital features #{conf_initial_features}"
+            "NOT using invalid initial features #{conf_initial_features}"
           end
         end
       end
       self.features = wanted_features
 
+      @ecosystem_integration = EcosystemIntegration.new(framework, Sqreen.queue)
+      framework.req_start_cb = @ecosystem_integration.method(:request_start)
+      framework.req_end_cb = @ecosystem_integration.method(:request_end)
+
       # Ensure a deliverer is there unless features have set it first
       self.deliverer ||= Deliveries::Simple.new(session)
       context_infos = {}
@@ -171,7 +181,7 @@ module Sqreen
     end
 
     def create_session(session_class)
-      @session = session_class.new(@url, @token, @app_name, @proxy_url)
+      @session = session_class.new(@url, @cert_store, @token, @app_name, @proxy_url)
       session.login(@framework)
     end
 
@@ -261,6 +271,10 @@ module Sqreen
       rulespack_id, rules = load_rules(context_infos)
       @framework.instrument_when_ready!(instrumenter, rules)
       Sqreen.log.info 'Instrumentation set up'
+
+      # XXX: ecosystem instrumentation should likely be deferred
+      #      the same way the rest might be
+      @ecosystem_integration.init
       rulespack_id.to_s
     end
 
@@ -380,11 +394,35 @@ module Sqreen
 
     def change_performance_budget(budget, _context_infos = {})
       return false unless budget.nil? || budget.to_f > 0
-      prev = Sqreen.performance_budget
-      Sqreen.update_performance_budget(budget)
+
+      if @configuration.get(:weave)
+        prev = Sqreen::Weave::Budget.current
+        prev = prev.to_h if prev
+
+        budget_s = budget.to_f / 1000 if budget
+
+        feature = features['performance_budget']
+        if feature
+          budget_s = feature['threshold'] if feature.key?('threshold')
+          ratio = feature['ratio'] if feature.key?('ratio')
+        end
+
+        Sqreen::Weave::Budget.update(threshold: budget_s, ratio: ratio)
+      else
+        prev = Sqreen.performance_budget
+        Sqreen.update_performance_budget(budget)
+      end
+
       { :was => prev }
     end
 
+    # @param [String] tracing_id_prefix
+    # @param [Array<Hash{String=>Object}>] sampling_config
+    def tracing_enable(tracing_id_prefix, sampling_config, _context_infos = {})
+      @ecosystem_integration.handle_tracing_command(tracing_id_prefix, sampling_config)
+      { status: true }
+    end
+
     def upload_bundle(_context_infos = {})
       t = Time.now
       session.post_bundle(RuntimeInfos.dependencies_signature, RuntimeInfos.dependencies)
@@ -471,6 +509,15 @@ module Sqreen
       logout
     end
 
+    def restart(_context_infos = {})
+      shutdown
+      heartbeat_delay = @heartbeat_delay
+      Thread.new do
+        sleep(2 * heartbeat_delay)
+        Sqreen::Worker.start(Sqreen.framework)
+      end
+    end
+
     def logout(retrying = true)
       return unless session
       Sqreen.log.debug("Logging out")
@@ -508,6 +555,28 @@ module Sqreen
 
     private
 
+    def post_endpoint_testing_msgs(chosen_endpoints)
+      chosen_endpoints.messages.each do |msg|
+        session.post_agent_message(@framework, msg)
+      end
+    rescue => e
+      Sqreen.log.warn "Error submitting agent message: #{e}"
+      RemoteException.record(e)
+    end
+
+    def determine_endpoints
+      # there's no sniffing going on; just a misnamed config setting
+      if @configuration.get(:no_sniff_domains)
+        # reproduces behaviour before endpoint testing was introduced
+        EndpointTesting.no_test_endpoints(@configuration.get(:url),
+                                          @configuration.get(:ingestion_url))
+      else
+        EndpointTesting.test_endpoints(@proxy_url,
+                                       @configuration.get(:url),
+                                       @configuration.get(:ingestion_url))
+      end
+    end
+
     def load_actions(hashes)
       unsupported = Set.new
 

data/lib/sqreen/session.rb

@@ -50,7 +50,7 @@ module Sqreen
 
     attr_accessor :request_compression
 
-    def initialize(server_url, token, app_name = nil, proxy_url = nil)
+    def initialize(server_url, cert_store, token, app_name = nil, proxy_url = nil)
       @token = token
       @app_name = app_name
       @session_id = nil
@@ -73,12 +73,7 @@ module Sqreen
       @http = Net::HTTP.new(uri.host, uri.port, *proxy_params)
       @http.use_ssl = use_ssl
       @http.verify_mode = OpenSSL::SSL::VERIFY_NONE if ENV['SQREEN_SSL_NO_VERIFY'] # for testing
-      if use_ssl
-        cert_file = File.join(File.dirname(__FILE__), 'ca.crt')
-        cert_store = OpenSSL::X509::Store.new
-        cert_store.add_file cert_file
-        @http.cert_store = cert_store
-      end
+      @http.cert_store = cert_store if use_ssl
       self.use_signals = false
     end
 
@@ -240,10 +235,7 @@ module Sqreen
     end
 
     def login(framework)
-      headers = {
-        'x-api-key'  => @token,
-        'x-app-name' => @app_name || framework.application_name,
-      }.reject { |k, v| v ==  nil }
+      headers = prelogin_auth_headers(framework)
 
       Sqreen.log.warn "Using app name: #{headers['x-app-name']}"
 
@@ -257,8 +249,10 @@ module Sqreen
       end
       Sqreen.log.info 'Login success.'
       @session_id = res['session_id']
+
       Kit::Configuration.session_key = @session_id
       Kit.reset
+
       Sqreen.log.debug { "received session_id #{@session_id}" }
       Sqreen.logged_in = true
       res
@@ -312,6 +306,11 @@ module Sqreen
       @evt_sub_strategy.post_batch(events)
     end
 
+    def post_agent_message(framework, agent_message)
+      headers = prelogin_auth_headers(framework)
+      post('app_agent_message', agent_message.to_h, headers, 0)
+    end
+
     # Perform agent logout
     # @param retrying [Boolean] whether to try again on error
     def logout(retrying = true)
@@ -325,5 +324,14 @@ module Sqreen
       Sqreen.logged_in = false
       disconnect
     end
+
+    private
+
+    def prelogin_auth_headers(framework)
+      {
+        'x-api-key' => @token,
+        'x-app-name' => @app_name || framework.application_name,
+      }.reject { |_k, v| v == nil }
+    end
   end
 end

data/lib/sqreen/signals/conversions.rb

@@ -118,6 +118,7 @@ module Sqreen
           signals += req_rec.processed_sdk_calls
                             .select { |h| h[:name] == :track }
                             .map { |h| convert_track(h) }
+          signals += (observed[:signals] || [])
 
           trace = Kit::Signals::Specialized::HttpTrace.new(
             actor: Kit::Signals::Actor.new(
@@ -137,7 +138,7 @@ module Sqreen
           trace
         end
 
-        # @param [Array<Sqreen::Kit::Signals::Signal|Sqreen::Kit::Signals::Trace>] batch
+        # @return [Array<Sqreen::Kit::Signals::Signal|Sqreen::Kit::Signals::Trace>]
         def convert_batch(batch)
           batch.map do |evt|
             case evt
@@ -147,6 +148,10 @@ module Sqreen
               convert_metric_sample(evt)
             when RequestRecord
               convert_req_record(evt)
+            when Sqreen::Kit::Signals::Signal
+              evt
+            when Sqreen::Kit::Signals::Trace
+              evt
             else
               raise NotImplementedError, "Unknown type of event in batch: #{evt}"
             end

data/lib/sqreen/version.rb

@@ -4,5 +4,5 @@
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 
 module Sqreen
-  VERSION = '1.20.0'.freeze
+  VERSION = '1.21.1'.freeze
 end

data/lib/sqreen/weave/budget.rb

@@ -0,0 +1,46 @@
+# typed: false
+
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+
+require 'sqreen/log/loggable'
+require 'sqreen/weave'
+
+class Sqreen::Weave::Budget
+  include Sqreen::Log::Loggable
+
+  def initialize(threshold, ratio = nil)
+    @threshold = threshold
+    @ratio = ratio
+  end
+
+  def static?
+    threshold && !ratio
+  end
+
+  def dynamic?
+    threshold && ratio
+  end
+
+  attr_reader :threshold
+  attr_reader :ratio
+
+  def to_h
+    { threshold: threshold, ratio: ratio }
+  end
+
+  class << self
+    attr_reader :current
+
+    def update(opts = nil)
+      Sqreen::Weave.logger.info("budget update:#{opts.inspect}")
+
+      return @current = nil if opts.nil? || opts.empty?
+
+      threshold = opts[:threshold]
+      ratio = opts[:ratio]
+
+      @current = new(threshold, ratio)
+    end
+  end
+end

data/lib/sqreen/weave/legacy/instrumentation.rb

@@ -4,10 +4,13 @@
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 
 require 'sqreen/weave/legacy'
+require 'sqreen/weave/budget'
+require 'sqreen/graft/hook'
 require 'sqreen/graft/hook_point'
 require 'sqreen/call_countable'
 require 'sqreen/rules'
 require 'sqreen/rules/record_request_context'
+require 'sqreen/sqreen_signed_verifier'
 
 class Sqreen::Weave::Legacy::Instrumentation
   attr_accessor :metrics_engine
@@ -60,6 +63,27 @@ class Sqreen::Weave::Legacy::Instrumentation
       'options' => opts[:perf_metric_percent] || { 'base' => 1.3, 'factor' => 1.0 },
     )
 
+    metrics_engine.create_metric(
+      'name' => 'req.sq.hook.overhead',
+      'period' => 60,
+      'kind' => 'Binning',
+      'options' => { 'base' => 2.0, 'factor' => 0.1 },
+    )
+
+    metrics_engine.create_metric(
+      'name' => 'sq.hook.overhead',
+      'period' => 60,
+      'kind' => 'Binning',
+      'options' => { 'base' => 2.0, 'factor' => 0.1 },
+    )
+
+    metrics_engine.create_metric(
+      'name' => 'sq.shrinkwrap',
+      'period' => 60,
+      'kind' => 'Binning',
+      'options' => { 'base' => 2.0, 'factor' => 0.1 },
+    )
+
     Sqreen.thread_cpu_time? && metrics_engine.create_metric(
       'name' => 'sq_thread_cpu_pct',
       'period' => opts[:period] || 60,
@@ -84,6 +108,15 @@ class Sqreen::Weave::Legacy::Instrumentation
 
     ### set up rule signature verifier
     verifier = nil
+    if Sqreen.features['rules_signature'] &&
+       Sqreen.config_get(:rules_verify_signature) == true &&
+       !defined?(::JRUBY_VERSION)
+      verifier = Sqreen::SqreenSignedVerifier.new
+      Sqreen::Weave.logger.debug('Rules signature enabled')
+    else
+      Sqreen::Weave.logger.debug('Rules signature disabled')
+    end
+
     ### force clean instrumentation callback list
     @hooks = []
     ### for each rule description
@@ -94,6 +127,25 @@ class Sqreen::Weave::Legacy::Instrumentation
       next unless rule_callback
       ### attach framework to callback
       rule_callback.framework = framework
+      ## create metric
+      Sqreen::Weave.logger.debug { "Adding rule metric: #{rule_callback}" }
+      [:pre, :post, :failing].each do |whence|
+        next unless rule_callback.send(:"#{whence}?")
+        metric_name = "sq.#{rule['name']}.#{whence}"
+        metrics_engine.create_metric(
+          'name' => metric_name,
+          'period' => 60,
+          'kind' => 'Binning',
+          'options' => { 'base' => 2.0, 'factor' => 0.1 },
+        )
+        metric_name = "req.sq.#{rule['name']}.#{whence}"
+        metrics_engine.create_metric(
+          'name' => metric_name,
+          'period' => 60,
+          'kind' => 'Binning',
+          'options' => { 'base' => 2.0, 'factor' => 0.1 },
+        )
+      end
       ### install callback, observing priority
       Sqreen::Weave.logger.debug { "Adding rule callback: #{rule_callback}" }
       @hooks << add_callback("weave,rule=#{rule['name']}", rule_callback, strategy)
@@ -107,30 +159,43 @@ class Sqreen::Weave::Legacy::Instrumentation
     end
 
     metrics_engine = self.metrics_engine
+
     request_hook = Sqreen::Graft::Hook['Sqreen::ShrinkWrap#call', strategy]
     @hooks << request_hook
     request_hook.add do
       before('wave,meta,request', rank: -100000, mandatory: true) do |_call|
         next unless Sqreen.instrumentation_ready
 
-        uuid = SecureRandom.uuid
-        now = Sqreen::Graft::Timer.read
+        # shrinkwrap_timer = Sqreen::Graft::Timer.new('weave,shrinkwrap')
+        # shrinkwrap_timer.start
+
+        request_timer = Sqreen::Graft::Timer.new("request")
+        request_timer.start
+        sqreen_timer = Sqreen::Graft::Timer.new("sqreen")
+        budget = Sqreen::Weave::Budget.current
+        request_budget_threshold = budget.threshold if budget
+        request_budget_ratio = budget.ratio if budget
+        request_budget_is_dynamic = !request_budget_ratio.nil?
+        request_budget = !request_budget_threshold.nil?
+        timed_level = (Sqreen.features['perf_level'] || 1).to_i
+        Sqreen::Weave.logger.debug { "request budget: #{budget.to_h} timed.level: #{timed_level}" } if Sqreen::Weave.logger.debug?
+
         Thread.current[:sqreen_http_request] = {
-          uuid: uuid,
-          start_time: now,
-          time_budget: Sqreen.performance_budget,
+          request_timer: request_timer,
+          sqreen_timer: sqreen_timer,
           time_budget_expended: false,
-          timer: Sqreen::Graft::Timer.new("request_#{uuid}"),
+          time_budget_threshold: request_budget_threshold,
+          time_budget_dynamic: request_budget_is_dynamic,
+          time_budget_ratio: request_budget_ratio,
+          time_budget: request_budget,
           timed_callbacks: [],
           timed_hooks: [],
-          timed_hooks_before: [],
-          timed_hooks_after: [],
-          timed_hooks_raised: [],
-          timed_hooks_ensured: [],
+          timed_level: timed_level,
           skipped_callbacks: [],
+          # timed_shrinkwrap: shrinkwrap_timer,
         }
 
-        Sqreen::Weave.logger.debug { "request.uuid: #{uuid}" }
+        # shrinkwrap_timer.stop
       end
 
       ensured('weave,meta,request', rank: 100000, mandatory: true) do |_call|
@@ -138,105 +203,118 @@ class Sqreen::Weave::Legacy::Instrumentation
 
         next if request.nil?
 
+        # shrinkwrap_timer = request[:timed_shrinkwrap]
+        # shrinkwrap_timer.start
+
         Thread.current[:sqreen_http_request] = nil
-        now = Sqreen::Graft::Timer.read
-        utc_now = Time.now.utc
-
-        request[:timed_callbacks].each do |timer|
-          duration = timer.duration
-          # stop = now
-          # start = now - duration
-          timer.tag =~ /weave,rule=(.*)$/ && rule = $1
-          timer.tag =~ /@before/ && whence = 'pre'
-          timer.tag =~ /@after/  && whence = 'post'
-          timer.tag =~ /@raised/ && whence = 'failing'
-
-          next unless rule && whence
-
-          # Sqreen::PerformanceNotifications.notify(rule, whence, start, stop)
-          # => BinnedMetrics
-          metric_name = "sq.#{rule}.#{whence}"
-          unless metrics_engine.metric?(metric_name)
-            metrics_engine.create_metric(
-              'name' => metric_name,
-              'period' => 60,
-              'kind' => 'Binning',
-              'options' => { 'base' => 2.0, 'factor' => 0.1 },
-            )
+        request_timer = request[:request_timer]
+        now = request_timer.stop
+
+        if request[:timed_level] >= 1
+          request[:timed_callbacks].each do |timer|
+            duration = timer.duration
+
+            timer.tag =~ /weave,rule=(.*)$/ && rule = $1
+            next unless rule
+
+            whence = case timer.tag
+                     when /@before/ then 'pre'
+                     when /@after/  then 'post'
+                     when /@raised/ then 'failing'
+                     end
+            next unless whence
+
+            metric_name = "sq.#{rule}.#{whence}"
+            metrics_engine.update(metric_name, now, nil, duration * 1000)
+            # Sqreen.observations_queue.push([metric_name, nil, duration * 1000, utc_now])
           end
-          metrics_engine.update(metric_name, now, nil, duration * 1000)
-        end
 
-        metric_name = 'sq.hooks_pre.pre'
-        duration = request[:timed_hooks_before].sum(&:duration)
-        unless metrics_engine.metric?(metric_name)
-          metrics_engine.create_metric(
-            'name' => metric_name,
-            'period' => 60,
-            'kind' => 'Binning',
-            'options' => { 'base' => 2.0, 'factor' => 0.1 },
-          )
-        end
-        metrics_engine.update(metric_name, now, nil, duration * 1000)
-
-        metric_name = 'sq.hooks_post.post'
-        duration = request[:timed_hooks_after].sum(&:duration)
-        unless metrics_engine.metric?(metric_name)
-          metrics_engine.create_metric(
-            'name' => metric_name,
-            'period' => 60,
-            'kind' => 'Binning',
-            'options' => { 'base' => 2.0, 'factor' => 0.1 },
-          )
-        end
-        metrics_engine.update(metric_name, now, nil, duration * 1000)
-
-        metric_name = 'sq.hooks_failing.failing'
-        duration = request[:timed_hooks_raised].sum(&:duration)
-        unless metrics_engine.metric?(metric_name)
-          metrics_engine.create_metric(
-            'name' => metric_name,
-            'period' => 60,
-            'kind' => 'Binning',
-            'options' => { 'base' => 2.0, 'factor' => 0.1 },
-          )
+          request[:timed_hooks].each do |timer|
+            duration = timer.duration
+            metrics_engine.update('sq.hook.overhead', now, nil, duration * 1000)
+            # Sqreen.observations_queue.push(['sq.hook.overhead', nil, duration * 1000, utc_now])
+          end
         end
-        metrics_engine.update(metric_name, now, nil, duration * 1000)
 
-        skipped = request[:skipped_callbacks].map(&:name)
-        Sqreen::Weave.logger.debug { "request:#{request[:uuid]} callback.skipped.size: #{skipped.count} callback.skipped: [#{skipped.join(', ')}]" }
-        timer = request[:timer]
-        total = timer.duration
-        Sqreen::Weave.logger.debug { "request:#{request[:uuid]} timer.total: #{'%.03fus' % (total * 1_000_000)} timer.size: #{timer.size}" }
-        timings = request[:timed_callbacks].map(&:to_s)
-        total = request[:timed_callbacks].sum(&:duration)
-        Sqreen::Weave.logger.debug { "request:#{request[:uuid]} callback.total: #{'%.03fus' % (total * 1_000_000)} callback.timings: [#{timings.join(', ')}]" }
-        timings = request[:timed_hooks].map(&:to_s)
-        total = request[:timed_hooks].sum(&:duration)
-        Sqreen::Weave.logger.debug { "request:#{request[:uuid]} hook.total: #{'%.03fus' % (total * 1_000_000)} hook.timings: [#{timings.join(', ')}]" }
+        sqreen_timer = request[:sqreen_timer]
+        total = sqreen_timer.duration
+        Sqreen::Weave.logger.debug { "request sqreen_timer.total: #{'%.03fus' % (total * 1_000_000)}" } if Sqreen::Weave.logger.debug?
+        total = request_timer.duration
+        Sqreen::Weave.logger.debug { "request request_timer.total: #{'%.03fus' % (total * 1_000_000)}" } if Sqreen::Weave.logger.debug?
+
+        if request[:timed_level] >= 2
+          skipped = request[:skipped_callbacks].map(&:name)
+          Sqreen::Weave.logger.debug { "request callback.skipped.count: #{skipped.count}" } if Sqreen::Weave.logger.debug?
+          timings = request[:timed_callbacks].map(&:to_s)
+          total = request[:timed_callbacks].sum(&:duration)
+          Sqreen::Weave.logger.debug { "request callback.total: #{'%.03fus' % (total * 1_000_000)} callback.count: #{timings.count}" } if Sqreen::Weave.logger.debug?
+          timings = request[:timed_hooks].map(&:to_s)
+          total = request[:timed_hooks].sum(&:duration)
+          Sqreen::Weave.logger.debug { "request hook.total: #{'%.03fus' % (total * 1_000_000)} hook.count: #{timings.count}" } if Sqreen::Weave.logger.debug?
+        end
 
         skipped = request[:skipped_callbacks].map(&:name)
         skipped_rule_name = skipped.first && skipped.first =~ /weave,rule=(.*)$/ && $1
-        Sqreen.observations_queue.push(['request_overtime', skipped_rule_name, 1, utc_now]) if skipped_rule_name
+        metrics_engine.update('request_overtime', now, skipped_rule_name, 1) if skipped_rule_name
+        # Sqreen.observations_queue.push(['request_overtime', skipped_rule_name, 1, utc_now]) if skipped_rule_name
 
-        sqreen_request_duration = total
-        Sqreen.observations_queue.push(['sq', nil, sqreen_request_duration * 1000, utc_now])
+        sqreen_request_duration = sqreen_timer.duration
+        metrics_engine.update('sq', now, nil, sqreen_request_duration * 1000)
+        # Sqreen.observations_queue.push(['sq', nil, sqreen_request_duration * 1000, utc_now])
 
-        request_duration = now - request[:start_time]
-        Sqreen.observations_queue.push(['req', nil, request_duration * 1000, utc_now])
+        request_duration = request_timer.duration
+        metrics_engine.update('req', now, nil, request_duration * 1000)
+        # Sqreen.observations_queue.push(['req', nil, request_duration * 1000, utc_now])
 
         sqreen_request_ratio = (sqreen_request_duration * 100.0) / (request_duration - sqreen_request_duration)
-        Sqreen.observations_queue.push(['pct', nil, sqreen_request_ratio, utc_now])
+        metrics_engine.update('pct', now, nil, sqreen_request_ratio)
+        # Sqreen.observations_queue.push(['pct', nil, sqreen_request_ratio, utc_now])
+        Sqreen::Weave.logger.debug { "request sqreen_timer.ratio: #{'%.03f' % (sqreen_request_ratio / 100.0)}" } if Sqreen::Weave.logger.debug?
+
+        if request[:timed_level] >= 2
+          tallies = Hash.new(0.0)
+          request[:timed_callbacks].each do |timer|
+            duration = timer.duration
+
+            timer.tag =~ /weave,rule=(.*)$/ && rule = $1
+            next unless rule
+
+            whence = case timer.tag
+                     when /@before/ then 'pre'
+                     when /@after/  then 'post'
+                     when /@raised/ then 'failing'
+                     end
+            next unless whence
+
+            metric_name = "req.sq.#{rule}.#{whence}"
+            tallies[metric_name] += duration
+          end
+          tallies.each do |metric_name, duration|
+            metrics_engine.update(metric_name, now, nil, duration * 1000)
+            # Sqreen.observations_queue.push([metric_name, nil, duration * 1000, utc_now])
+          end
+
+          duration = request[:timed_hooks].sum(&:duration)
+          metrics_engine.update('req.sq.hook.overhead', now, nil, duration * 1000)
+          # Sqreen.observations_queue.push(['req.sq.hook.overhead', nil, duration * 1000, utc_now])
+        end
+
+        # shrinkwrap_timer.stop
+
+        # duration = shrinkwrap_timer.duration
+        # metrics_engine.update('sq.shrinkwrap', now, nil, duration * 1000)
       end
     end.install
 
     ### globally declare instrumentation ready
     Sqreen.instrumentation_ready = true
+    Sqreen::Weave.logger.info { "Instrumentation activated" }
   end
 
   # needed by Sqreen::Runner
   def remove_all_callbacks
     Sqreen.instrumentation_ready = false
+    Sqreen::Weave.logger.info { "Instrumentation deactivated" }
 
     loop do
       hook = @hooks.pop
@@ -253,6 +331,15 @@ class Sqreen::Weave::Legacy::Instrumentation
     klass = callback.klass
     method = callback.method
 
+    if (call_count = ENV['SQREEN_DEBUG_CALL_COUNT'])
+      call_count = JSON.parse(call_count)
+      if callback.respond_to?(:rule_name) && call_count.key?(callback.rule_name)
+        count = call_count[callback.rule_name]
+        Sqreen::Weave.logger.debug { "override rule: #{callback.rule_name} call_count: #{count.inspect}" }
+        callback.instance_eval { @call_count_interval = call_count[callback.rule_name] }
+      end
+    end
+
     if Sqreen::Graft::HookPoint.new("#{klass}.#{method}").exist?
       hook_point = "#{klass}.#{method}"
     elsif Sqreen::Graft::HookPoint.new("#{klass}##{method}").exist?
@@ -275,7 +362,6 @@ class Sqreen::Weave::Legacy::Instrumentation
           a = call.args
           r = call.remaining
 
-          Sqreen::Weave.logger.debug { "#{rule} klass=#{callback.klass} method=#{callback.method} when=#pre instance=#{i}" }
           begin
             ret = callback.pre(i, a, r)
           rescue StandardError => e
@@ -286,17 +372,26 @@ class Sqreen::Weave::Legacy::Instrumentation
               Sqreen::RemoteException.record(e)
             end
           end
-          Sqreen::Weave.logger.debug { "#{rule} klass=#{callback.klass} method=#{callback.method} when=#pre instance=#{i} => return=#{ret.inspect}" }
 
-          case ret[:status]
-          when :skip, 'skip'
-            throw(b, b.return(ret[:new_return_value]).break!) if ret.key?(:new_return_value)
-          when :modify_args, 'modify_args'
-            throw(b, b.args(ret[:args]))
-          when :raise, 'raise'
-            throw(b, b.raise(ret[:exception])) if ret.key?(:exception)
-            throw(b, b.raise(Sqreen::AttackBlocked.new("Sqreen blocked a security threat (type: #{callback.rule_name}). No action is required.")))
-          end unless ret.nil? || !ret.is_a?(Hash)
+          next if ret.nil? || !ret.is_a?(Hash)
+
+          throw_val =
+            case ret[:status]
+            when :skip, 'skip'
+              b.return(ret[:new_return_value]).break! if ret.key?(:new_return_value)
+            when :modify_args, 'modify_args'
+              b.args(ret[:args])
+            when :raise, 'raise'
+              if ret.key?(:exception)
+                b.raise(ret[:exception])
+              else
+                b.raise(Sqreen::AttackBlocked.new("Sqreen blocked a security threat (type: #{callback.rule_name}). No action is required."))
+              end
+            end
+
+          next unless throw_val
+          throw_val.break! if ret[:skip_rem_cbs]
+          throw(b, throw_val)
         end
       end
 
@@ -309,7 +404,6 @@ class Sqreen::Weave::Legacy::Instrumentation
           a = call.args
           r = call.remaining
 
-          Sqreen::Weave.logger.debug { "#{rule} klass=#{callback.klass} method=#{callback.method} when=#post instance=#{i}" }
           begin
             ret = callback.post(v, i, a, r)
           rescue StandardError => e
@@ -320,7 +414,6 @@ class Sqreen::Weave::Legacy::Instrumentation
               Sqreen::RemoteException.record(e)
             end
           end
-          Sqreen::Weave.logger.debug { "#{rule} klass=#{callback.klass} method=#{callback.method} when=#post instance=#{i} => return=#{ret.inspect}" }
 
           case ret[:status]
           when :override, 'override'
@@ -341,7 +434,6 @@ class Sqreen::Weave::Legacy::Instrumentation
           a = call.args
           r = call.remaining
 
-          Sqreen::Weave.logger.debug { "#{rule} klass=#{callback.klass} method=#{callback.method} when=#failing instance=#{i}" }
           begin
             ret = callback.failing(e, i, a, r)
           rescue StandardError => e
@@ -352,7 +444,6 @@ class Sqreen::Weave::Legacy::Instrumentation
               Sqreen::RemoteException.record(e)
             end
           end
-          Sqreen::Weave.logger.debug { "#{rule} klass=#{callback.klass} method=#{callback.method} when=#failing instance=#{i} => return=#{ret.inspect}" }
 
           throw(b, b.raise(e)) if ret.nil? || !ret.is_a?(Hash)