[Snort-users] Re: snort 2.2.0 and linux-smp-stats

Sam Evans wintrmte at ...11827...
Mon Oct 11 10:45:20 EDT 2004


Well, I decided to be daring with my non existant C skills..  I
believe I have fixed the problem with linux-smp not working on RHEL
boxes..

The /proc/stat contains 7 fields where as it expected 4.  The
following patch should fix the problem..  Please be aware that I am in
no way a C programmer.  I've tested this on my hardware, and it seems
to be working OK.

YMMV, and use at your own risk, of course ..

Thanks,
Sam

-------------------- Cut and paste below into
sfprocpidstats-rhel.c.diff -----------------------

*** sfprocpidstats.c.original   2004-10-11 17:33:55.000000000 +0000
--- sfprocpidstats.c    2004-10-11 17:22:59.000000000 +0000
***************
*** 61,88 ****
      int iCtr;
      u_long ulUser;
      u_long ulNice;
      u_long ulSys;
      u_long ulIdle;

      rewind(proc_stat);

      /*
      **  Read the total CPU usage, don't use right now.
      */
!     iRet = fscanf(proc_stat, "%*s %*u %*u %*u %*u");
      if(iRet == EOF)
          return -1;

      /*
      **  Read the individual CPU usages.  This tells us where
      **  sniffing and snorting is occurring.
      */
      for(iCtr = 0; iCtr < iCPUs; iCtr++)
      {
!         iRet = fscanf(proc_stat, "%*s %lu %lu %lu %lu",
!                       &ulUser, &ulNice, &ulSys, &ulIdle);

          if(iRet == EOF || iRet < 4)
              return -1;

          pStatCPUs[iCtr].user = ulUser + ulNice;
--- 61,91 ----
      int iCtr;
      u_long ulUser;
      u_long ulNice;
      u_long ulSys;
      u_long ulIdle;
+     u_long ulUndef1;
+     u_long ulUndef2;
+     u_long ulUndef3;

      rewind(proc_stat);

      /*
      **  Read the total CPU usage, don't use right now.
      */
!     iRet = fscanf(proc_stat, "%*s %*u %*u %*u %*u %*u %*u %*u");
      if(iRet == EOF)
          return -1;

      /*
      **  Read the individual CPU usages.  This tells us where
      **  sniffing and snorting is occurring.
      */
      for(iCtr = 0; iCtr < iCPUs; iCtr++)
      {
!         iRet = fscanf(proc_stat, "%*s %lu %lu %lu %lu %lu %lu %lu",
!                       &ulUser, &ulNice, &ulSys, &ulIdle, &ulUndef1,
&ulUndef2, &ulUndef3);

          if(iRet == EOF || iRet < 4)
              return -1;

          pStatCPUs[iCtr].user = ulUser + ulNice;
***************
*** 101,111 ****

      rewind(proc_stat);

      while(1)
      {
!         iRet = fscanf(proc_stat, "%10s %*u %*u %*u %*u", acCpuName);
          if(iRet < 1 || iRet == EOF)
          {
              return 0;
          }

--- 104,114 ----

      rewind(proc_stat);

      while(1)
      {
!         iRet = fscanf(proc_stat, "%10s %*u %*u %*u %*u %*u %*u %*u",
acCpuName);
          if(iRet < 1 || iRet == EOF)
          {
              return 0;
          }



On Mon, 11 Oct 2004 11:06:27 -0600, Sam Evans <wintrmte at ...11827...> wrote:
> I too am having the same problem here..
> 
> This is on an RHEL 3.0 box, Linux ids01 2.4.21-20.ELsmp #1 SMP Wed Aug
> 18 20:46:40 EDT 2004 i686 i686 i386 GNU/Linux
> 
> cat /proc/stat :
> cpu  5156620 441 11244240 353291735 267820 621227 4541845
> cpu0 1718960 93 3170141 88684615 60976 2 146307
> cpu1 872968 126 2152761 85885910 70501 621225 4177454
> cpu2 1563749 74 3188519 88810050 62019 0 156534
> cpu3 1000943 148 2732819 89911160 74324 0 61550
> 
> any chance of there being a patch for this?
> 
> Thx,
> Sam
> 
> > Permissions are fine.  I am running snort as root AND /proc/stat is
> > mode 444 (read by everyone)
> >
> > I thinks Snort is seeing something it can"t parse in the file.  What
> > it"s looking for I am not sure.
> >
> > -g-
>




More information about the Snort-users mailing list