Re: Perfmon total_alerts tracking bug

[Mike Cox <mike.cox52 () gmail com>]

And if it isn't obvious, the fix is to delete the following line from
src/preprocessors/perf-base.c in InitBaseStats():

sfBase->total_iAlerts = 0;

-Mike Cox


On Fri, Aug 21, 2015 at 10:21 AM, Mike Cox <mike.cox52 () gmail com> wrote:

> Perfmon will output 'alerts_per_second' and 'total_alerts_per_second' with
> the latter including IP Reputation alerts and the former not.
>
> alerts_per_second is calculated for the time interval and so is
> total_alerts_per_second and previous counts are tracked with the *iAlerts
> variables so they aren't counted again. From src/preprocessors/perf-base.c
> in GetEventsPerSecond():
>
>     sfBaseStats->alerts_per_second =
>         (double)(pc.alert_pkts - sfBase->iAlerts) / Systimes->realtime;
>
>     sfBase->iAlerts = pc.alert_pkts;
>
>     sfBaseStats->total_alerts_per_second =
>         (double)(pc.total_alert_pkts - sfBase->total_iAlerts) /
> Systimes->realtime;
>
>     sfBase->total_iAlerts = pc.total_alert_pkts;
>
> However, total_iAlerts gets reset to 0 after each init; from
> src/preprocessors/perf-base.c in InitBaseStats():
>
> sfBase->total_iAlerts = 0;
>
> So effectively you get this:
>
>     sfBaseStats->total_alerts_per_second =
>         (double)(pc.total_alert_pkts - 0) / Systimes->realtime;
>
> Which I don't believe is what you want.
>
> I checked Snort 2.9.7.5 and Snort 2.9.8 beta and they both had this bug.
>
> -Mike Cox
------------------------------------------------------------------------------

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!