[Snort-devel] snort 2.1.3RC1 perfmon feature patch (RST/FIN)

Erik Fichtner emf at ...28...
Tue Apr 27 20:40:03 EDT 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi all.   Just thought I'd send this out in case someone else thought it was
useful.  It's quite trivial, but basically, I have a gauge that tracks  
	( ( SYN + SYN_ACK ) / (RST + RST_ACK + FIN + FIN_ACK) ) * CONSTANT  
for tcp connections.   I wanted to use perfmon to give me this data instead of having
to pull it out of pcaps directly, so....   If no one else thinks that's handy, then
so be it. ;)



*** perf-base.c.orig    Wed Apr 28 02:51:54 2004
- --- perf-base.c Wed Apr 28 02:53:49 2004
***************
*** 358,363 ****
- --- 358,369 ----
      sfBaseStats->synacks_per_second = 
          (double)(sfBase->iSynAcks) / Systimes->realtime;
  
+     sfBaseStats->rsts_per_second = 
+         (double)(sfBase->iRsts) / Systimes->realtime;
+ 
+     sfBaseStats->fins_per_second = 
+         (double)(sfBase->iFins) / Systimes->realtime;
+ 
      sfBaseStats->deleted_sessions_per_second = 
          (double)(sfBase->iDeletedSessions) / Systimes->realtime;
  
***************
*** 388,393 ****
- --- 394,401 ----
      
      sfBase->iSyns = 0;
      sfBase->iSynAcks = 0;
+     sfBase->iRsts = 0;
+     sfBase->iFins = 0;
      sfBase->iNewSessions = 0;
      sfBase->iDeletedSessions = 0;
  
***************
*** 726,735 ****
  #ifdef WIN32
                  "%.1f,%.1f,%.1f,%.1f,%I64i,%I64i,",
  #else
!                 "%.1f,%.1f,%.1f,%.1f,%llu,%llu,",
  #endif       
                  sfBaseStats->syns_per_second,
                  sfBaseStats->synacks_per_second,
                  sfBaseStats->new_sessions_per_second,
                  sfBaseStats->deleted_sessions_per_second,
                  sfBaseStats->total_sessions,
- --- 734,745 ----
  #ifdef WIN32
                  "%.1f,%.1f,%.1f,%.1f,%I64i,%I64i,",
  #else
!                 "%.1f,%.1f,%.1f,%.1f,%.1f,%.1f,%llu,%llu,",
  #endif       
                  sfBaseStats->syns_per_second,
                  sfBaseStats->synacks_per_second,
+                 sfBaseStats->rsts_per_second,
+                 sfBaseStats->fins_per_second,
                  sfBaseStats->new_sessions_per_second,
                  sfBaseStats->deleted_sessions_per_second,
                  sfBaseStats->total_sessions,
***************
*** 867,872 ****
- --- 877,884 ----
      /* Session estimation statistics */
      LogMessage("Syns/Sec        :  %.1f\n", sfBaseStats->syns_per_second);
      LogMessage("Syn-Acks/Sec    :  %.1f\n", sfBaseStats->synacks_per_second);
+     LogMessage("Rsts/Sec        :  %.1f\n", sfBaseStats->rsts_per_second);
+     LogMessage("Fins/Sec        :  %.1f\n", sfBaseStats->fins_per_second);
      LogMessage("New Sessions/Sec:  %.1f\n", sfBaseStats->new_sessions_per_second);
      LogMessage("Del Sessions/Sec:  %.1f\n", sfBaseStats->deleted_sessions_per_second);    
      LogMessage("Total Sessions  :  %llu\n", sfBaseStats->total_sessions);
*** perf-base.h.orig    Wed Apr 28 03:12:20 2004
- --- perf-base.h Wed Apr 28 03:12:46 2004
***************
*** 113,118 ****
- --- 113,120 ----
      double   alerts_per_second;
      double   syns_per_second;
      double   synacks_per_second;
+     double   rsts_per_second;
+     double   fins_per_second;
      double   deleted_sessions_per_second;
      double   new_sessions_per_second;
  
*** spp_perfmonitor.c.orig      Wed Apr 28 02:52:05 2004
- --- spp_perfmonitor.c   Wed Apr 28 02:54:54 2004
***************
*** 327,332 ****
- --- 327,340 ----
              /* this is a better approximation of connections */
              sfPerf.sfBase.iSynAcks++;
          }
+         else if(p->tcph->th_flags & TH_RST)
+         {
+             sfPerf.sfBase.iRsts++;
+         }
+         else if(p->tcph->th_flags & TH_FIN)
+         {
+             sfPerf.sfBase.iFins++;
+         }
      }
  
      /*




- -- 
Erik Fichtner
Principal Engineer, Information Security, ServerVault Corp.
703-652-5900
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (FreeBSD)

iD8DBQFAjyd4Q7EzrewLMS0RAtCXAJ9d24hLobMGxHBd64OGo9q3B0yc7QCfSQ4f
o46IUuEXV53Ou3oeKy2hs/Q=
=F8Ou
-----END PGP SIGNATURE-----




More information about the Snort-devel mailing list