[Snort-devel] Perfmon total_alerts tracking bug
mike.cox52 at ...2499...
Fri Aug 21 10:21:13 EDT 2015
Perfmon will output 'alerts_per_second' and 'total_alerts_per_second' with
the latter including IP Reputation alerts and the former not.
alerts_per_second is calculated for the time interval and so is
total_alerts_per_second and previous counts are tracked with the *iAlerts
variables so they aren't counted again. From src/preprocessors/perf-base.c
(double)(pc.alert_pkts - sfBase->iAlerts) / Systimes->realtime;
sfBase->iAlerts = pc.alert_pkts;
(double)(pc.total_alert_pkts - sfBase->total_iAlerts) /
sfBase->total_iAlerts = pc.total_alert_pkts;
However, total_iAlerts gets reset to 0 after each init; from
src/preprocessors/perf-base.c in InitBaseStats():
sfBase->total_iAlerts = 0;
So effectively you get this:
(double)(pc.total_alert_pkts - 0) / Systimes->realtime;
Which I don't believe is what you want.
I checked Snort 18.104.22.168 and Snort 2.9.8 beta and they both had this bug.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-devel