[Snort-users] 1.8.4-beta1 feedback?

Phil Wood cpw at ...440...
Sat Feb 2 15:35:06 EST 2002


This is my cut on a patch to fix the DropStats.  To incorporate the patch:

  % tar -zxf snort-1.8.4-beta1.tar.gz
  % cd snort-1.8.4-beta1
  % patch -p1 < patch-snort

Voila.

Attached is patch-snort.

On Fri, Feb 01, 2002 at 08:50:18AM -0600, Michael Anderson wrote:
> Are you going to update DropStats to correctly print out drop and receive stats based on Phil Wood's comment in:
> http://marc.theaimsgroup.com/?l=snort-users&m=101233898729378&w=2
> 
> I have updated my own version with what I think is the correct behavior, at least for linux. Otherwise everything looks good to me.
> 
> -Mike Anderson
> 
> Martin Roesch wrote:
> 
> > Good morning,
> >      I can see from the weblogs that 730 of you have downloaded
> > 1.8.4-beta1, does anyone have any feedback or is it perfect in all ways
> > and ready for release? :)
> >
> >      -Marty
> >
> > --
> > Martin Roesch - Founder/CEO, Sourcefire Inc. - (410)552-6999
> > Sourcefire: Professional Snort Sensor and Management Console appliances
> > roesch at ...1935... - http://www.sourcefire.com
> > Snort: Open Source Network IDS - http://www.snort.org
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
Phil Wood, cpw at ...440...

-------------- next part --------------
--- beta/snort-1.8.4-beta1/snort.c  Wed Jan 30 03:06:31 2002
+++ snort-1.8.4-beta1/snort.c   Sat Feb  2 00:48:33 2002
@@ -3074,6 +3101,7 @@
     if(pv.quiet_flag)
         return;
 
+     recv = (float) (pc.tcp + pc.udp + pc.icmp + pc.arp + pc.ipx + pc.ipv6 + pc.other + pc.frags + pc.discards - pc.rebuilt_frags);
     /*
      * you will hardly run snort in daemon mode and read from file i that is
      * why no `LogMessage()' here
@@ -3082,36 +3110,34 @@
     {
         puts("\n\n===============================================================================\n");
 
-        recv = (float) (pc.tcp + pc.udp + pc.icmp + pc.arp + pc.ipx + pc.ipv6 + pc.other + pc.frags);
-        drop = 0;
 
         printf("Snort processed %d packets.\n", (int) recv);
 
         puts("Breakdown by protocol:                Action Stats:\n");
         printf("    TCP: %-10ld (%.3f%%)%-*sALERTS: %-10ld\n", 
-               pc.tcp, CalcPct((float) pc.tcp, recv + drop), 
-               CalcPct((float)pc.tcp,recv + drop)<10?10:9 , " ", pc.alert_pkts);
+               pc.tcp, CalcPct((float) pc.tcp, recv), 
+               CalcPct((float)pc.tcp,recv)<10?10:9 , " ", pc.alert_pkts);
         printf("    UDP: %-10ld (%.3f%%)%-*sLOGGED: %-10ld\n", 
-               pc.udp, CalcPct((float) pc.udp, recv + drop),  
-               CalcPct((float)pc.udp,recv + drop)<10?10:9, " ", pc.log_pkts);
+               pc.udp, CalcPct((float) pc.udp, recv),  
+               CalcPct((float)pc.udp,recv)<10?10:9, " ", pc.log_pkts);
         printf("   ICMP: %-10ld (%.3f%%)%-*sPASSED: %-10ld\n", 
-               pc.icmp, CalcPct((float) pc.icmp, recv + drop), 
-               CalcPct((float)pc.icmp,recv + drop)<10?10:9, " ", pc.pass_pkts);
-        printf("    ARP: %-10ld (%.3f%%)\n", pc.arp, CalcPct((float) pc.arp, recv + drop));
-        printf("   IPv6: %-10ld (%.3f%%)\n", pc.ipv6, CalcPct((float) pc.ipv6, recv + drop));
-        printf("    IPX: %-10ld (%.3f%%)\n", pc.ipx, CalcPct((float) pc.ipx, recv + drop));
-        printf("  OTHER: %-10ld (%.3f%%)\n", pc.other, CalcPct((float) pc.other, recv + drop));
+               pc.icmp, CalcPct((float) pc.icmp, recv), 
+               CalcPct((float)pc.icmp,recv)<10?10:9, " ", pc.pass_pkts);
+        printf("    ARP: %-10ld (%.3f%%)\n", pc.arp, CalcPct((float) pc.arp, recv));
+        printf("   IPv6: %-10ld (%.3f%%)\n", pc.ipv6, CalcPct((float) pc.ipv6, recv));
+        printf("    IPX: %-10ld (%.3f%%)\n", pc.ipx, CalcPct((float) pc.ipx, recv));
+        printf("  OTHER: %-10ld (%.3f%%)\n", pc.other, CalcPct((float) pc.other, recv));
         printf("===============================================================================\n");
         printf("Fragmentation Stats:\n");
-        printf("Fragmented IP Packets: %-10ld (%-3.3f%%)\n", pc.frags, CalcPct((float) pc.frags, recv + drop));
+        printf("Fragmented IP Packets: %-10ld (%-3.3f%%)\n", pc.frags, CalcPct((float) pc.frags, recv));
         printf("   Rebuilt IP Packets: %-10ld\n", pc.rebuilt_frags);
         printf("   Frag elements used: %-10ld\n", pc.rebuild_element);
         printf("Discarded(incomplete): %-10ld\n", pc.frag_incomp);
         printf("   Discarded(timeout): %-10ld\n", pc.frag_timeout);
         puts("===============================================================================\n");
         printf("TCP Stream Reassembly Stats:\n");
-        printf("   TCP Packets Used:      %-10ld (%-3.3f%%)\n", pc.tcp_stream_pkts, CalcPct((float) pc.tcp_stream_pkts, recv + drop));
-        printf("   Reconstructed Packets: %-10ld (%-3.3f%%)\n", pc.rebuilt_tcp,CalcPct((float) pc.rebuilt_tcp, recv + drop));
+        printf("   TCP Packets Used:      %-10ld (%-3.3f%%)\n", pc.tcp_stream_pkts, CalcPct((float) pc.tcp_stream_pkts, recv));
+        printf("   Reconstructed Packets: %-10ld (%-3.3f%%)\n", pc.rebuilt_tcp,CalcPct((float) pc.rebuilt_tcp, recv));
         printf("   Streams Reconstructed: %-10ld\n", pc.tcp_streams);
         puts("===============================================================================\n");
 
@@ -3125,50 +3151,44 @@
         }
         else
         {
-            recv = (float) ps.ps_recv;
             drop = (float) ps.ps_drop;
 
             LogMessage("\n\n===================================="
                        "===========================================\n");
-            LogMessage("Snort analyzed %d out of %d packets, ", 
-                        ps.ps_recv, ps.ps_recv+ps.ps_drop);
+            LogMessage("Snort analyzed %d out of %d packets.", 
+                        (unsigned long) recv, ps.ps_recv);
 
-            if(ps.ps_recv)
-            {
-                LogMessage("dropping %d(%.3f%%) packets\n\n", 
+            LogMessage("  The kernel dropped %d(%.3f%%).\n\n", 
                             ps.ps_drop, 
-                            CalcPct( (float) ps.ps_drop, (float) (ps.ps_recv+ps.ps_drop) ));
-            }
-            else
-            {
-                LogMessage(".\n");
-            }
+                          CalcPct( (float) ps.ps_drop, (float) (ps.ps_recv) ));
+
+            recv = (float) ps.ps_recv;
 
             LogMessage("Breakdown by protocol:                Action Stats:\n");
             LogMessage("    TCP: %-10ld (%.3f%%)%-*sALERTS: %-10ld\n", 
-                       pc.tcp, CalcPct((float) pc.tcp, recv + drop), 
-                       CalcPct((float)pc.tcp,recv + drop)<10?10:9 , " ", pc.alert_pkts);
+                       pc.tcp, CalcPct((float) pc.tcp, recv), 
+                       CalcPct((float)pc.tcp,recv)<10?10:9 , " ", pc.alert_pkts);
             LogMessage("    UDP: %-10ld (%.3f%%)%-*sLOGGED: %-10ld\n", 
-                       pc.udp, CalcPct((float) pc.udp, recv + drop),  
-                       CalcPct((float)pc.udp,recv + drop)<10?10:9, " ", pc.log_pkts);
+                       pc.udp, CalcPct((float) pc.udp, recv),  
+                       CalcPct((float)pc.udp, recv)<10?10:9, " ", pc.log_pkts);
             LogMessage("   ICMP: %-10ld (%.3f%%)%-*sPASSED: %-10ld\n", 
-                       pc.icmp, CalcPct((float) pc.icmp, recv + drop), 
-                       CalcPct((float)pc.icmp,recv + drop)<10?10:9, " ", pc.pass_pkts);
+                       pc.icmp, CalcPct((float) pc.icmp, recv), 
+                       CalcPct((float)pc.icmp,recv)<10?10:9, " ", pc.pass_pkts);
             LogMessage("    ARP: %-10ld (%.3f%%)\n", 
-                        pc.arp, CalcPct((float) pc.arp, recv + drop));
+                        pc.arp, CalcPct((float) pc.arp, recv));
             LogMessage("   IPv6: %-10ld (%.3f%%)\n", 
-                        pc.ipv6, CalcPct((float) pc.ipv6, recv + drop));
+                        pc.ipv6, CalcPct((float) pc.ipv6, recv));
             LogMessage("    IPX: %-10ld (%.3f%%)\n", 
-                        pc.ipx, CalcPct((float) pc.ipx, recv + drop));
+                        pc.ipx, CalcPct((float) pc.ipx, recv));
             LogMessage("  OTHER: %-10ld (%.3f%%)\n", 
-                        pc.other, CalcPct((float) pc.other, recv + drop));
+                        pc.other, CalcPct((float) pc.other, recv));
             LogMessage("DISCARD: %-10ld (%.3f%%)\n", 
-                        pc.discards, CalcPct((float) pc.discards, recv + drop));
+                        pc.discards, CalcPct((float) pc.discards, recv));
             LogMessage("================================================"
                        "===============================\n");
             LogMessage("Fragmentation Stats:\n");
             LogMessage("Fragmented IP Packets: %-10ld (%.3f%%)\n", 
-                        pc.frags, CalcPct((float) pc.frags, recv + drop));
+                        pc.frags, CalcPct((float) pc.frags, recv));
             LogMessage("    Fragment Trackers: %-10ld\n", 
                         pc.frag_trackers);
             LogMessage("   Rebuilt IP Packets: %-10ld\n", 
@@ -3187,7 +3207,7 @@
             LogMessage("TCP Stream Reassembly Stats:\n");
             LogMessage("        TCP Packets Used: %-10ld (%-3.3f%%)\n", 
                         pc.tcp_stream_pkts, 
-                        CalcPct((float) pc.tcp_stream_pkts, recv + drop));
+                        CalcPct((float) pc.tcp_stream_pkts, recv));
             LogMessage("         Stream Trackers: %-10ld\n", pc.tcp_streams);
             LogMessage("          Stream flushes: %-10ld\n", pc.rebuilt_tcp);
             LogMessage("           Segments used: %-10ld\n", pc.rebuilt_segs);
@@ -3199,7 +3219,6 @@
 
     return;
 }
-
 
 void ReadConfFile()
 {


More information about the Snort-users mailing list