Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

securityonion-sostat: calculate suricata packet loss as percentage #1663

Closed
dougburks opened this issue Nov 5, 2019 · 6 comments
Closed

securityonion-sostat: calculate suricata packet loss as percentage #1663

dougburks opened this issue Nov 5, 2019 · 6 comments
Projects

Comments

@dougburks
Copy link
Contributor

@dougburks dougburks commented Nov 5, 2019

No description provided.

@dougburks dougburks added this to To do in 16.04.6.3 via automation Nov 5, 2019
@dougburks

This comment has been minimized.

Copy link
Contributor Author

@dougburks dougburks commented Nov 5, 2019

for i in /nsm/sensor_data/*/stats.log; do
                echo "$i"
                if [ $( tail -n 50 $i | grep -c drop ) -ne 0 ]; then
                        echo
                        SURI_CAPTURE=`tail -n 50 "$i" | grep -m1 "capture.kernel_packets" | awk '{print $5}'`
                        SURI_DROPS=`tail -n 50 "$i" | grep -m1 "capture.kernel_drops" | awk '{print $5}'`
                        SURI_PCT=$(echo "scale=2 ; $SURI_DROPS * 10/$SURI_CAPTURE * 10" | bc)
                        echo $SURI_PCT% Loss
                        echo
                else
                        echo
                        echo "No packet drops reported."
                        echo
                fi
done
@dougburks dougburks moved this from To do to In progress in 16.04.6.3 Nov 5, 2019
dougburks added a commit to Security-Onion-Solutions/securityonion-sostat that referenced this issue Nov 5, 2019
@dougburks dougburks moved this from In progress to In Testing in 16.04.6.3 Nov 6, 2019
@dougburks

This comment has been minimized.

Copy link
Contributor Author

@dougburks dougburks commented Nov 6, 2019

The following package is now available at ppa:securityonion/test:

securityonion-sostat - 20120722-0ubuntu0securityonion135

Please test as follows:

  • install the latest ISO image in a VM

  • run Setup choosing Production Mode and then Suricata

  • if possible, create a snapshot of the VM

  • add the test PPA:

sudo add-apt-repository -y ppa:securityonion/test
  • install updates:
sudo soup
  • run sostat and verify that the Suricata section shows 0 loss:
sudo sostat
  • create some Suricata drops by sending lots of traffic

  • run sostat again and verify that the Suricata section now shows loss as a percentage:

sudo sostat
  • verify no regressions

  • anything else we missed?

Thanks in advance for your time and effort!

@weslambert

This comment has been minimized.

Copy link
Collaborator

@weslambert weslambert commented Nov 23, 2019

After testing, it appears that we won't always get a consistent result only searching for the last 50 lines of output from stats.log. We should consider increasing to something like 100 to ensure we get through at least the last set of stats.

Ref:
https://github.com/Security-Onion-Solutions/securityonion-sostat/blob/master/bin/sostat#L207-L210

@dougburks

This comment has been minimized.

Copy link
Contributor Author

@dougburks dougburks commented Nov 23, 2019

OK, I've updated the code so that it now grabs the latest Suricata stats update in its entirety:
Security-Onion-Solutions/securityonion-sostat@4fbc516

securityonion-sostat - 20120722-0ubuntu0securityonion136 is now available for testing at ppa:securityonion/test.

@weslambert

This comment has been minimized.

Copy link
Collaborator

@weslambert weslambert commented Nov 23, 2019

Just tested the updated package. Looks good 👍 !

@dougburks dougburks moved this from In Testing to Tested in 16.04.6.3 Nov 23, 2019
@dougburks

This comment has been minimized.

Copy link
Contributor Author

@dougburks dougburks commented Nov 26, 2019

@dougburks dougburks closed this Nov 26, 2019
16.04.6.3 automation moved this from Tested to Done Nov 26, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
16.04.6.3
  
Done
2 participants
You can’t perform that action at this time.