[Snort-devel] Perfmon total_alerts tracking bug

Mike Cox mike.cox52 at ...2499...
Fri Aug 28 15:00:27 EDT 2015


And if it isn't obvious, the fix is to delete the following line from
src/preprocessors/perf-base.c in InitBaseStats():

sfBase->total_iAlerts = 0;

-Mike Cox


On Fri, Aug 21, 2015 at 10:21 AM, Mike Cox <mike.cox52 at ...2499...> wrote:

> Perfmon will output 'alerts_per_second' and 'total_alerts_per_second' with
> the latter including IP Reputation alerts and the former not.
>
> alerts_per_second is calculated for the time interval and so is
> total_alerts_per_second and previous counts are tracked with the *iAlerts
> variables so they aren't counted again. From src/preprocessors/perf-base.c
> in GetEventsPerSecond():
>
>     sfBaseStats->alerts_per_second =
>         (double)(pc.alert_pkts - sfBase->iAlerts) / Systimes->realtime;
>
>     sfBase->iAlerts = pc.alert_pkts;
>
>     sfBaseStats->total_alerts_per_second =
>         (double)(pc.total_alert_pkts - sfBase->total_iAlerts) /
> Systimes->realtime;
>
>     sfBase->total_iAlerts = pc.total_alert_pkts;
>
> However, total_iAlerts gets reset to 0 after each init; from
> src/preprocessors/perf-base.c in InitBaseStats():
>
> sfBase->total_iAlerts = 0;
>
> So effectively you get this:
>
>     sfBaseStats->total_alerts_per_second =
>         (double)(pc.total_alert_pkts - 0) / Systimes->realtime;
>
> Which I don't believe is what you want.
>
> I checked Snort 2.9.7.5 and Snort 2.9.8 beta and they both had this bug.
>
> -Mike Cox
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20150828/bf3338c8/attachment.html>


More information about the Snort-devel mailing list