Skip to content
This repository has been archived by the owner on Apr 16, 2021. It is now read-only.

securityonion-sostat: calculate suricata packet loss as percentage #1663

Closed
dougburks opened this issue Nov 5, 2019 · 6 comments
Closed

securityonion-sostat: calculate suricata packet loss as percentage #1663

dougburks opened this issue Nov 5, 2019 · 6 comments

Comments

@dougburks
Copy link
Contributor

No description provided.

@dougburks
Copy link
Contributor Author 

for i in /nsm/sensor_data/*/stats.log; do
                echo "$i"
                if [ $( tail -n 50 $i | grep -c drop ) -ne 0 ]; then
                        echo
                        SURI_CAPTURE=`tail -n 50 "$i" | grep -m1 "capture.kernel_packets" | awk '{print $5}'`
                        SURI_DROPS=`tail -n 50 "$i" | grep -m1 "capture.kernel_drops" | awk '{print $5}'`
                        SURI_PCT=$(echo "scale=2 ; $SURI_DROPS * 10/$SURI_CAPTURE * 10" | bc)
                        echo $SURI_PCT% Loss
                        echo
                else
                        echo
                        echo "No packet drops reported."
                        echo
                fi
done

dougburks added a commit to Security-Onion-Solutions/securityonion-sostat that referenced this issue Nov 5, 2019
@dougburks
securityonion-sostat: calculate suricata packet loss as percentage Se…
665bbf7 
…curity-Onion-Solutions/security-onion#1663
@dougburks
Copy link
Contributor Author

The following package is now available at ppa:securityonion/test:

securityonion-sostat - 20120722-0ubuntu0securityonion135

Please test as follows:

  • install the latest ISO image in a VM

  • run Setup choosing Production Mode and then Suricata

  • if possible, create a snapshot of the VM

  • add the test PPA:

sudo add-apt-repository -y ppa:securityonion/test
  • install updates:
sudo soup
  • run sostat and verify that the Suricata section shows 0 loss:
sudo sostat

  • create some Suricata drops by sending lots of traffic

  • run sostat again and verify that the Suricata section now shows loss as a percentage:

sudo sostat

  • verify no regressions

  • anything else we missed?

Thanks in advance for your time and effort!

@weslambert
Copy link

After testing, it appears that we won't always get a consistent result only searching for the last 50 lines of output from stats.log. We should consider increasing to something like 100 to ensure we get through at least the last set of stats.

Ref:
https://github.com/Security-Onion-Solutions/securityonion-sostat/blob/master/bin/sostat#L207-L210

@dougburks
Copy link
Contributor Author

OK, I've updated the code so that it now grabs the latest Suricata stats update in its entirety:
Security-Onion-Solutions/securityonion-sostat@4fbc516

securityonion-sostat - 20120722-0ubuntu0securityonion136 is now available for testing at ppa:securityonion/test.

@weslambert
Copy link

Just tested the updated package. Looks good 👍 !

@dougburks
Copy link
Contributor Author

Published:
https://blog.securityonion.net/2019/11/securityonion-sostat-20120722_26.html

@dougburks dougburks mentioned this issue Apr 6, 2020
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dougburks @weslambert