[Snort-devel] Snort 2.0 Perfstats question/bug

Lawrence Reed Lawrence.Reed at ...1489...
Thu Jan 16 09:31:01 EST 2003


Dan,
Thanks for your time at the Snort Users Group meeting last week.  I 
learned more about the 2.0 environment, and that helps me to make Snort 
more useful.

I have been trying the perfstats preprocessor you discussed and have run 
into a couple of problems.  

First, I am trying to use the "file perfstats.csv" option to write the 
data to a file.  But the preprocessor does not use the pv.log_dir 
variable to set the path to the log file.  So snort cannot open this 
file.  I modified the perf.c code to include this, similar to 
spp_portscan2.c.  See diff below.

The second issue is with the sfBase->iTotalSessions variable, or more 
specifically with the call to AddStreamSession in spp_stream4.c.  

Is this variable the "number of current sessions"?  It looks like it is. 
However, the iTotalSessions variable increases without bound on my 
system.  While I think my system is a little busy, I don't believe that 
I have 1.6 million active sessions.    I think the problem is near line 
1549 of spp_stream4.c.  Should AddStreamSession be called every time, or 
only if ssn is not null?  I have included a diff that makes this changes 
and produces numbers that seem better.

Are these real issues or have I screwed things up again?

Background info:
Snort 4.0 build 45 running an RedHat 7.3 with the following preprocessors

preprocessor frag2
preprocessor stream4: disable_evasion_alerts, keepstats binary
#preprocessor stream4_reassemble: both
preprocessor http_decode: 80 unicode iis_alt_unicode double_encode 
iis_flip_slash full_whitespace
preprocessor rpc_decode: 111 32771
preprocessor bo: -nobrute
preprocessor telnet_decode
preprocessor conversation: allowed_ip_protocols all, timeout 60, 
max_conversations 65534
preprocessor portscan2: scanners_max 3200, targets_max 5000, 
target_limit 25, port_limit 50, timeout 60
preprocessor portscan2-ignorehosts: $IGNORE_PORTSCANS
preprocessor perfmonitor: file perfstats.csv flow events time 10
preprocessor HttpFlow: ports 80 8080 depth 250

Notice the stream4_reassemble preprocessor is disabled,  causes snort to 
crash.

Here is a diff for perf.c:

--- perf.c      Thu Jan 16 17:12:42 2003
+++ perf.c.new  Thu Jan 16 17:13:07 2003
@@ -37,6 +37,7 @@
 #endif /* WIN32 */

 #include "perf.h"
+#include "snort.h"

 int CheckSampleInterval(time_t curr_time, SFPERF *sfPerf);
 int InitPerfStats(SFPERF *sfPerf);
@@ -108,7 +109,13 @@
     if(iFlag & SFPERF_FILE)
     {
         sfPerf->iPerfFlags = sfPerf->iPerfFlags | SFPERF_FILE;
-       strncpy( sfPerf->file, p, sizeof(sfPerf->file) );
+
+
+        strncpy( sfPerf->file, pv.log_dir, strlen(pv.log_dir) );
+       if ( sfPerf->file[strlen(sfPerf->file) - 1] != '/' ) {
+         strncat (sfPerf->file,"/",1);
+       }
+       strncat( sfPerf->file, p, sizeof(sfPerf->file) );

         /* this file needs to be readable by everyone */
 #ifndef WIN32
@@ -116,6 +123,9 @@
 #endif

        sfPerf->fh = fopen(sfPerf->file,"at");
+       if( !sfPerf->fh ) {
+         perror("fopen failed");
+       }

 #ifndef WIN32
         umask(old_umask);


and spp_stream4.c


--- spp_stream4.c       Thu Jan 16 17:12:32 2003
+++ spp_stream4.c.new   Thu Jan 16 17:17:11 2003
@@ -1531,7 +1531,9 @@
                 ++s4_emergency.new_session_count;

             /* perfstats */
-            AddStreamSession(&sfPerf.sfBase);
+            if(ssn != NULL ) {
+               AddStreamSession(&sfPerf.sfBase);
+            }
         } else {
             ssn = NULL;
         }




-- 
Larry Reed  Lawrence.Reed at ...1489...
NOAA IT Security Office
PGP Public Key:  http://search.keyserver.net:11371/pks/lookup?op=get&search=0x7A998772






More information about the Snort-devel mailing list