[Snort-devel] Statistics strangeness on Linux

Erik de Castro Lopo erikd+snort at ...2292...
Sun Dec 21 16:26:01 EST 2003


Hi all,

I'm playing around with Snort (2.05 and now 2.10) on Linux 2.4. Running 
it in fast alert mode:

   /usr/local/bin/snort -b -A fast -c /usr/local/etc/snort.conf

and then sending it a SIGUSR1, I can get some pretty odd results in the
statistcs, the worst of which was this:

    Snort analyzed 17 out of 17 packets, dropping 0(0.000%) packets
	
    Breakdown by protocol:                Action Stats:
        TCP: 41196582   (242332848.000%)         ALERTS: 0
        UDP: 321        (1888.235%)         LOGGED: 0

This was created by running Sort for some time on a heavily loaded network 
and then backing off the load considerably and sending two SIGUSR1s
pretty close together.

On investigation, I found that pc.tcp is updated in src/decode.c of Snort, 
while the packet count and packet drop counts are retrieved from the kernel 
via a getsocketopt call in libpcap.

In the Linux kernel each getsocketopt(PACKET_STATISTICS) call resets the
packet count and packet drop counts, while the pc.tcp count never gets 
reset. 

I have fixed this in my local copy by keeping a running total of the packet
count and packet drop count in static long long variables in the function
DropStats(). I would send this as a patch, but I'm not sure how the *BSDs
might differ.

Comments anyone?

Cheers,
Erik
-- 
------------------------------------------------------
[N] Erik de Castro Lopo, Senior Computer Engineer
[E] erik.de.castro.lopo at ...2292...
[W] http://www.sensorynetworks.com
[T] +61 2 83022726 
[F] +61 2 94750316 
[A] L4/140 William St, East Sydney NSW 2011, Australia
------------------------------------------------------




More information about the Snort-devel mailing list