[Snort-users] [PATCH]: bad calculation of the amount of drop.
This is a discussion on [Snort-users] [PATCH]: bad calculation of the amount of drop. within the Snort forums, part of the System Security and Security Related category; --=-H+ih5YXKTV0cc0iL5qBM Content-Type: text/plain Content-Transfer-Encoding: 7bit Hi, It seems that Snort has a bug preventing the ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
10-01-2003
|
|||
|
|||
[Snort-users] [PATCH]: bad calculation of the amount of drop.
--=-H+ih5YXKTV0cc0iL5qBM Content-Type: text/plain Content-Transfer-Encoding: 7bit Hi, It seems that Snort has a bug preventing the calculation of the correct amount of dropped packet. This bug make snort report ~50% of dropped packet when there are in fact ~99% of drop. In order to compute the amount of dropped packet, snort use the statistics provided by pcap throught the pcap_stat structure. This structure contain two field: - ps_recv is the total amount of packet received, _including DROP_. - ps_drop is the amount of packet dropped by the kernel. The correct way to gather the number of analyzed packet is to substract ps_drop from ps_recv. Adding a simple packet counter to snort will provide you with the proof that the correct way to calculate the percentage of DROP is to use ps_recv - ps_drop. Also the following comment in the pcap source code describe this behavior, from pcap-bpf.c (the same kind of comment is present in pcap-linux.c) : /* * "ps_recv" counts packets handed to the filter, not packets * that passed the filter. This includes packets later dropped * because we ran out of buffer space. * * "ps_drop" counts packets dropped inside the BPF device * because we ran out of buffer space. It doesn't count * packets dropped by the interface driver. It counts * only packets that passed the filter. * * Both statistics include packets not yet read from the kernel * by libpcap, and thus not yet seen by the application. */ The same kind of comment is present in pcap-linux.c Current code in Snort, enabling the calculation of the amount of drop is in util.c : LogMessage("Snort analyzed %d out of %d packets, ", ps.ps_recv, ps.ps_recv+ps.ps_drop); As ps_recv already contain the amount of drop, the line of code in question should more look like : LogMessage("Snort analyzed %d out of %d packets, ", ps.ps_recv - ps.ps_drop, ps.ps_recv); Then the following offending line of code : LogMessage("dropping %d(%.3f%%) packets\n\n", ps.ps_drop, CalcPct( (float) ps.ps_drop, (float) (ps.ps_recv+ps.ps_drop) )); That should be corrected to : LogMessage("dropping %d(%.3f%%) packets\n\n", ps.ps_drop, CalcPct( (float) ps.ps_drop, (float) ps.ps_recv )); Also, the per-protocol breakdown should probably be fixed to be computed against the amount of received packet, and not the amount of packet received + the number of DROP (the patch doesn't fix this, and keep the current behavior). -- Yoann Vandoorselaere <yoann@prelude-ids.org> --=-H+ih5YXKTV0cc0iL5qBM Content-Disposition: attachment; filename=snort-drop-calculation.diff Content-Type: text/x-patch; name=snort-drop-calculation.diff; charset=UTF-8 Content-Transfer-Encoding: 7bit --- src/util.orig 2003-10-01 16:17:50.000000000 +0200 +++ src/util.c 2003-10-01 16:20:27.000000000 +0200 @@ -916,13 +916,13 @@ LogMessage("\n\n================================== ==" "===========================================\n "); LogMessage("Snort analyzed %d out of %d packets, ", - ps.ps_recv, ps.ps_recv+ps.ps_drop); + ps.ps_recv - ps.ps_drop, ps.ps_recv); if(ps.ps_recv) { LogMessage("dropping %d(%.3f%%) packets\n\n", ps.ps_drop, - CalcPct( (float) ps.ps_drop, (float) (ps.ps_recv+ps.ps_drop) )); + CalcPct( (float) ps.ps_drop, (float) ps.ps_recv )); } else { @@ -931,44 +931,44 @@ LogMessage("Breakdown by protocol: Action Stats:\n"); LogMessage(" TCP: %-10ld (%.3f%%)%-*sALERTS: %-10ld\n", - pc.tcp, CalcPct((float) pc.tcp, recv + drop), + pc.tcp, CalcPct((float) pc.tcp, recv), CalcPct((float)pc.tcp,recv + drop)<10?10:9 , " ", pc.alert_pkts); LogMessage(" UDP: %-10ld (%.3f%%)%-*sLOGGED: %-10ld\n", - pc.udp, CalcPct((float) pc.udp, recv + drop), + pc.udp, CalcPct((float) pc.udp, recv), CalcPct((float)pc.udp,recv + drop)<10?10:9, " ", pc.log_pkts); LogMessage(" ICMP: %-10ld (%.3f%%)%-*sPASSED: %-10ld\n", - pc.icmp, CalcPct((float) pc.icmp, recv + drop), + pc.icmp, CalcPct((float) pc.icmp, recv), CalcPct((float)pc.icmp,recv + drop)<10?10:9, " ", pc.pass_pkts); LogMessage(" ARP: %-10ld (%.3f%%)\n", - pc.arp, CalcPct((float) pc.arp, recv + drop)); + pc.arp, CalcPct((float) pc.arp, recv)); LogMessage(" EAPOL: %-10ld (%.3f%%)\n", - pc.eapol, CalcPct((float) pc.eapol, recv + drop)); + pc.eapol, CalcPct((float) pc.eapol, recv)); LogMessage(" IPv6: %-10ld (%.3f%%)\n", - pc.ipv6, CalcPct((float) pc.ipv6, recv + drop)); + pc.ipv6, CalcPct((float) pc.ipv6, recv)); LogMessage(" IPX: %-10ld (%.3f%%)\n", - pc.ipx, CalcPct((float) pc.ipx, recv + drop)); + pc.ipx, CalcPct((float) pc.ipx, recv)); LogMessage(" OTHER: %-10ld (%.3f%%)\n", - pc.other, CalcPct((float) pc.other, recv + drop)); + pc.other, CalcPct((float) pc.other, recv)); LogMessage("DISCARD: %-10ld (%.3f%%)\n", - pc.discards, CalcPct((float) pc.discards, recv + drop)); + pc.discards, CalcPct((float) pc.discards, recv)); LogMessage("====================================== ==========" "===============================\n"); LogMessage("Wireless Stats:\n"); LogMessage("Breakdown by type:\n"); LogMessage(" Management Packets: %-10ld (%.3f%%)\n", pc.wifi_mgmt, CalcPct((float) pc.wifi_mgmt - , recv + drop)); + , recv)); LogMessage(" Control Packets: %-10ld (%.3f%%)\n", pc.wifi_control, CalcPct((float) pc.wifi_control - , recv + drop)); + , recv)); LogMessage(" Data Packets: %-10ld (%.3f%%)\n", pc.wifi_data, CalcPct((float) pc.wifi_data - , recv + drop)); + , recv)); LogMessage("====================================== ==========" "===============================\n"); LogMessage("Fragmentation Stats:\n"); LogMessage("Fragmented IP Packets: %-10ld (%.3f%%)\n", - pc.frags, CalcPct((float) pc.frags, recv + drop)); + pc.frags, CalcPct((float) pc.frags, recv)); LogMessage(" Fragment Trackers: %-10ld\n", pc.frag_trackers); LogMessage(" Rebuilt IP Packets: %-10ld\n", @@ -987,7 +987,7 @@ LogMessage("TCP Stream Reassembly Stats:\n"); LogMessage(" TCP Packets Used: %-10ld (%-3.3f%%)\n", pc.tcp_stream_pkts, - CalcPct((float) pc.tcp_stream_pkts, recv + drop)); + CalcPct((float) pc.tcp_stream_pkts, recv)); LogMessage(" Stream Trackers: %-10ld\n", pc.tcp_streams); LogMessage(" Stream flushes: %-10ld\n", pc.rebuilt_tcp); LogMessage(" Segments used: %-10ld\n", pc.rebuilt_segs); --=-H+ih5YXKTV0cc0iL5qBM-- ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
