[Snort-devel] Perfmon total_alerts tracking bug

Mike Cox mike.cox52 at ...2499...
Fri Aug 21 10:21:13 EDT 2015


Perfmon will output 'alerts_per_second' and 'total_alerts_per_second' with
the latter including IP Reputation alerts and the former not.

alerts_per_second is calculated for the time interval and so is
total_alerts_per_second and previous counts are tracked with the *iAlerts
variables so they aren't counted again. From src/preprocessors/perf-base.c
in GetEventsPerSecond():

    sfBaseStats->alerts_per_second =
        (double)(pc.alert_pkts - sfBase->iAlerts) / Systimes->realtime;

    sfBase->iAlerts = pc.alert_pkts;

    sfBaseStats->total_alerts_per_second =
        (double)(pc.total_alert_pkts - sfBase->total_iAlerts) /
Systimes->realtime;

    sfBase->total_iAlerts = pc.total_alert_pkts;

However, total_iAlerts gets reset to 0 after each init; from
src/preprocessors/perf-base.c in InitBaseStats():

sfBase->total_iAlerts = 0;

So effectively you get this:

    sfBaseStats->total_alerts_per_second =
        (double)(pc.total_alert_pkts - 0) / Systimes->realtime;

Which I don't believe is what you want.

I checked Snort 2.9.7.5 and Snort 2.9.8 beta and they both had this bug.

-Mike Cox
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20150821/429b0fd1/attachment.html>


More information about the Snort-devel mailing list