[Oisf-users] New init.d switch

Yasha Zislin coolyasha at hotmail.com
Wed Nov 26 14:52:13 UTC 2014 

Not sure if anybody would want this but I've figured I'll share at least. I wrote a little additional switch to init.d Suricata script which shows life packet stats that includes Suricata start date/time, total packet captured since last start, total packet captured in last minute, total packet loss since start, packet loss % since last start, total alerts since last start and alerts in past minute. 
For this to work, /var/log/suricata.log and /var/log/suricata/stats.log need to exist. Stats.log logging needs to be configured to be once a minute. If other value is used, script would have to be adjusted.
I have not tested it with other packet captures than PF RING, but I think it should work.
Besides these requirement, script will automatically figure out how many threads you are using and if you have second interface that  you are monitoring on the same sensor. For stats to be correct, you need to wait 2 minutes after Suricata starts so it gather enough data.
I use it all the time to monitor for packet loss or network outage.
 packets)        myThreads=$(cat /var/log/suricata.log | grep "packet processing threads" | grep -Eo "[0-9]{1,2} packet" | cut -d' ' -f 1 | awk '{print $1 / 2}')        myNumInt=$(cat /var/log/suricata.log | grep "Adding interface" | wc -l)        myLines=$((myThreads * myNumInt * 52 + 12))        myLines2=$((myLines * 2))        mySuriStart=$(head -n 1 /var/log/suricata.log | cut -d'<' -f 1)

        myTotInt1=`tail -n $myLines /var/log/suricata/stats.log | grep "capture.kernel_packets" | head -n $myThreads | awk -F '|' '{print $3}' | sed 's/ //' | awk '{total = total + $1}END{print total}'`        myPrevTotInt1=`tail -n $myLines2 /var/log/suricata/stats.log | head -n $myLines | grep "capture.kernel_packets" | head -n $myThreads | awk -F '|' '{print $3}' | sed 's/ //' | awk '{total = total + $1}END{print total}'`        myLstInt1=`tail -n $myLines /var/log/suricata/stats.log | grep "capture.kernel_drops" | head -n $myThreads | awk -F '|' '{print $3}' | sed 's/ //' | awk '{total = total + $1}END{print total}'`        myAlertsInt1=`tail -n $myLines /var/log/suricata/stats.log | grep "detect.alert" | head -n $myThreads | awk -F '|' '{print $3}' | sed 's/ //' | awk '{total = total + $1}END{print total}'`        myPrevAlertsInt1=`tail -n $myLines2 /var/log/suricata/stats.log | head -n $myLines | grep "detect.alert" | head -n $myThreads | awk -F '|' '{print $3}' | sed 's/ //' | awk '{total = total + $1}END{print total}'`        myLossInt1=$(awk -v a=$myLstInt1 -v b=$myTotInt1 'BEGIN { print ((a / b) * 100)}')
        echo -e "====================================================="        echo -e "Suricata has been started on $mySuriStart"        echo -e "====================================================="        echo -e ""        echo -e "====================================================="        echo -e "First Interface ($myThreads threads) Packet Info:"        echo -e "Total Captured Packets: `echo $myTotInt1 | xargs printf "%'.0f\n"`"        echo -e "Total Captured Packets in last minute: `echo $((myTotInt1 - myPrevTotInt1)) | xargs printf "%'.0f\n"`"        echo -e "Total Lost Packets: `echo $myLstInt1 | xargs printf "%'.0f\n"`"        echo -e "Packet Loss: $myLossInt1 %"        echo -e "Alerts: `echo $myAlertsInt1 | xargs printf "%'.0f\n"`"        echo -e "Alerts in past minute: `echo $((myAlertsInt1 - myPrevAlertsInt1)) | xargs printf "%'.0f\n"`"
        if [ "$myNumInt" = "2" ]        then                myTotInt2=`tail -n $myLines /var/log/suricata/stats.log | grep "capture.kernel_packets" | tail -n $myThreads | awk -F '|' '{print $3}' | sed 's/ //' | awk '{total = total + $1}END{print total}'`                myPrevTotInt2=`tail -n $myLines2 /var/log/suricata/stats.log | head -n $myLines | grep "capture.kernel_packets" | tail -n $myThreads | awk -F '|' '{print $3}' | sed 's/ //' | awk '{total = total + $1}END{print total}'`                myLstInt2=`tail -n $myLines /var/log/suricata/stats.log | grep "capture.kernel_drops" | tail -n $myThreads | awk -F '|' '{print $3}' | sed 's/ //' | awk '{total = total + $1}END{print total}'`                myAlertsInt2=`tail -n $myLines /var/log/suricata/stats.log | grep "detect.alert" | tail -n $myThreads | awk -F '|' '{print $3}' | sed 's/ //' | awk '{total = total + $1}END{print total}'`                myPrevAlertsInt2=`tail -n $myLines2 /var/log/suricata/stats.log | head -n $myLines | grep "detect.alert" | tail -n $myThreads | awk -F '|' '{print $3}' | sed 's/ //' | awk '{total = total + $1}END{print total}'`
                myLossInt2=$(awk -v a=$myLstInt2 -v b=$myTotInt2 'BEGIN { print ((a / b) * 100)}')                echo -e ""                echo -e "===================================================="                echo -e "Second Interface ($myThreads threads) Packet Info:"                echo -e "Total Captured Packets: `echo $myTotInt2 | xargs printf "%'.0f\n"`"                echo -e "Total Captured Packets in last minute: `echo $((myTotInt2 - myPrevTotInt2)) | xargs printf "%'.0f\n"`"                echo -e "Total Lost Packets: `echo $myLstInt2 | xargs printf "%'.0f\n"`"                echo -e "Packet Loss: $myLossInt2 %"                echo -e "Alerts: `echo $myAlertsInt2 | xargs printf "%'.0f\n"`"                echo -e "Alerts in past minute: `echo $((myAlertsInt2 - myPrevAlertsInt2)) | xargs printf "%'.0f\n"`"                echo        fi        ;;
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20141126/120948a5/attachment-0001.html>

More information about the Oisf-users mailing list