[Snort-devel] snort 2.1.3RC1 perfmon feature patch (RST/FIN)

From: Erik Fichtner <emf(at)servervault.com>
Date: Tue Apr 27 2004 - 23:39:36 EDT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi all. Just thought I'd send this out in case someone else thought it was useful. It's quite trivial, but basically, I have a gauge that tracks

        ( ( SYN + SYN_ACK ) / (RST + RST_ACK + FIN + FIN_ACK) ) * CONSTANT for tcp connections. I wanted to use perfmon to give me this data instead of having to pull it out of pcaps directly, so.... If no one else thinks that's handy, then so be it. ;)

• perf-base.c.orig Wed Apr 28 02:51:54 2004 - --- perf-base.c Wed Apr 28 02:53:49 2004

  ---

• 358,363 **** - --- 358,369 ---- sfBaseStats->synacks_per_second = (double)(sfBase->iSynAcks) / Systimes->realtime;

+     sfBaseStats->rsts_per_second = 
+         (double)(sfBase->iRsts) / Systimes->realtime;
+ 
+     sfBaseStats->fins_per_second = 
+         (double)(sfBase->iFins) / Systimes->realtime;
+ 
      sfBaseStats->deleted_sessions_per_second = 
          (double)(sfBase->iDeletedSessions) / Systimes->realtime;
  

---

• 388,393 **** - --- 394,401 ----

      sfBase->iSyns = 0;
      sfBase->iSynAcks = 0;
+     sfBase->iRsts = 0;
+     sfBase->iFins = 0;
      sfBase->iNewSessions = 0;
      sfBase->iDeletedSessions = 0;
  

---

• 726,735 **** #ifdef WIN32 "%.1f,%.1f,%.1f,%.1f,%I64i,%I64i,", #else ! "%.1f,%.1f,%.1f,%.1f,%llu,%llu,", #endif sfBaseStats->syns_per_second, sfBaseStats->synacks_per_second, sfBaseStats->new_sessions_per_second, sfBaseStats->deleted_sessions_per_second, sfBaseStats->total_sessions, - --- 734,745 ---- #ifdef WIN32 "%.1f,%.1f,%.1f,%.1f,%I64i,%I64i,", #else ! "%.1f,%.1f,%.1f,%.1f,%.1f,%.1f,%llu,%llu,", #endif sfBaseStats->syns_per_second, sfBaseStats->synacks_per_second, + sfBaseStats->rsts_per_second, + sfBaseStats->fins_per_second, sfBaseStats->new_sessions_per_second, sfBaseStats->deleted_sessions_per_second, sfBaseStats->total_sessions,

  ---

• 867,872 **** - --- 877,884 ---- /* Session estimation statistics */ LogMessage("Syns/Sec : %.1f\n", sfBaseStats->syns_per_second); LogMessage("Syn-Acks/Sec : %.1f\n", sfBaseStats->synacks_per_second); + LogMessage("Rsts/Sec : %.1f\n", sfBaseStats->rsts_per_second); + LogMessage("Fins/Sec : %.1f\n", sfBaseStats->fins_per_second); LogMessage("New Sessions/Sec: %.1f\n", sfBaseStats->new_sessions_per_second); LogMessage("Del Sessions/Sec: %.1f\n", sfBaseStats->deleted_sessions_per_second); LogMessage("Total Sessions : %llu\n", sfBaseStats->total_sessions);
• perf-base.h.orig Wed Apr 28 03:12:20 2004 - --- perf-base.h Wed Apr 28 03:12:46 2004

  ---

• 113,118 **** - --- 113,120 ---- double alerts_per_second; double syns_per_second; double synacks_per_second; + double rsts_per_second; + double fins_per_second; double deleted_sessions_per_second; double new_sessions_per_second;
• spp_perfmonitor.c.orig Wed Apr 28 02:52:05 2004 - --- spp_perfmonitor.c Wed Apr 28 02:54:54 2004

  ---

• 327,332 **** - --- 327,340 ---- /* this is a better approximation of connections */ sfPerf.sfBase.iSynAcks++; } + else if(p->tcph->th_flags & TH_RST) + { + sfPerf.sfBase.iRsts++; + } + else if(p->tcph->th_flags & TH_FIN) + { + sfPerf.sfBase.iFins++; + } }

      /*

• -- Erik Fichtner Principal Engineer, Information Security, ServerVault Corp. 703-652-5900 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD)

iD8DBQFAjyd4Q7EzrewLMS0RAtCXAJ9d24hLobMGxHBd64OGo9q3B0yc7QCfSQ4f o46IUuEXV53Ou3oeKy2hs/Q=
=F8Ou
-----END PGP SIGNATURE-----

---

This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click

---

Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel Received on Tue Apr 27 23:46:48 2004