<div dir="ltr">And if it isn't obvious, the fix is to delete the following line from src/preprocessors/perf-base.c in InitBaseStats():<br><pre>sfBase->total_iAlerts = 0;
</pre><pre><span style="font-family:arial,helvetica,sans-serif">-Mike Cox</span><br></pre></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Aug 21, 2015 at 10:21 AM, Mike Cox <span dir="ltr"><<a href="mailto:mike.cox52@...2499..." target="_blank">mike.cox52@...3054....</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div>Perfmon will output 'alerts_per_second' and 'total_alerts_per_second' with the latter including IP Reputation alerts and the former not.<br><br></div>alerts_per_second is calculated for the time interval and so is total_alerts_per_second and previous counts are tracked with the *iAlerts variables so they aren't counted again. From src/preprocessors/perf-base.c in GetEventsPerSecond():<br><span style="font-family:monospace,monospace"><br>    sfBaseStats->alerts_per_second =<br>        (double)(pc.alert_pkts - sfBase->iAlerts) / Systimes->realtime;<br><br>    sfBase->iAlerts = pc.alert_pkts;<br><br>    sfBaseStats->total_alerts_per_second =<br>        (double)(pc.total_alert_pkts - sfBase->total_iAlerts) / Systimes->realtime;<br><br>    sfBase->total_iAlerts = pc.total_alert_pkts;</span><br><br></div>However, total_iAlerts gets reset to 0 after each init; from src/preprocessors/perf-base.c in InitBaseStats():<br><pre>sfBase->total_iAlerts = 0;
</pre>So effectively you get this:<br><br><span style="font-family:monospace,monospace">    sfBaseStats->total_alerts_per_second =<br>        (double)(pc.total_alert_pkts - 0) / Systimes->realtime;</span><br><div><br></div><div>Which I don't believe is what you want.<br><br></div><div>I checked Snort 2.9.7.5 and Snort 2.9.8 beta and they both had this bug.<span class="HOEnZb"><font color="#888888"><br></font></span></div><span class="HOEnZb"><font color="#888888"><div><br>-Mike Cox<br></div></font></span></div>
</blockquote></div><br></div>