From 6ea1a83afe9199c9337c508fff10b54d797d3063 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 11 Jan 2021 14:10:08 -0500 Subject: [PATCH 1/2] resolve some issues with the zeekloss script https://github.com/Security-Onion-Solutions/securityonion/issues/2590 --- salt/telegraf/scripts/zeekloss.sh | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/salt/telegraf/scripts/zeekloss.sh b/salt/telegraf/scripts/zeekloss.sh index 9a64ef4dd..0cdef896c 100644 --- a/salt/telegraf/scripts/zeekloss.sh +++ b/salt/telegraf/scripts/zeekloss.sh @@ -29,15 +29,22 @@ echo $$ > $lf ZEEKLOG=$(tac /host/nsm/zeek/logs/packetloss.log | head -2) declare RESULT=($ZEEKLOG) CURRENTDROP=${RESULT[3]} -PASTDROP=${RESULT[9]} -DROPPED=$((CURRENTDROP - PASTDROP)) -if [ $DROPPED == 0 ]; then +# zeek likely not running if this is true +if [[ $CURRENTDROP == "rcvd:" ]]; then + CURRENTDROP=0 + PASTDROP=0 + DROPPED=0 +else + PASTDROP=${RESULT[9]} + DROPPED=$((CURRENTDROP - PASTDROP)) +fi +if [[ "$DROPPED" -le 0 ]]; then LOSS=0 echo "zeekdrop drop=0" else CURRENTPACKETS=${RESULT[5]} PASTPACKETS=${RESULT[11]} TOTAL=$((CURRENTPACKETS - PASTPACKETS)) - LOSS=$(echo $DROPPED $TOTAL / p | dc) + LOSS=$(echo 4k $DROPPED $TOTAL / p | dc) echo "zeekdrop drop=$LOSS" -fi +fi \ No newline at end of file From 225ed1c14a739325cb3754886d04007d86e0a54c Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 12 Jan 2021 16:39:19 -0500 Subject: [PATCH 2/2] change suriloss and zeekloss to be more similar code style --- salt/telegraf/scripts/suriloss.sh | 10 +++++----- salt/telegraf/scripts/zeekloss.sh | 2 +- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/salt/telegraf/scripts/suriloss.sh b/salt/telegraf/scripts/suriloss.sh index 7ef8de2ee..9f8ad8cc6 100644 --- a/salt/telegraf/scripts/suriloss.sh +++ b/salt/telegraf/scripts/suriloss.sh @@ -33,20 +33,20 @@ if [ $CHECKIT == 2 ]; then CURRENTDROP=${RESULT[4]} PASTDROP=${RESULT[14]} - DROPPED=$(($CURRENTDROP - $PASTDROP)) + DROPPED=$((CURRENTDROP - PASTDROP)) if [ $DROPPED == 0 ]; then LOSS=0 echo "suridrop drop=0" else CURRENTPACKETS=${RESULT[9]} PASTPACKETS=${RESULT[19]} - TOTALCURRENT=$(($CURRENTPACKETS + $CURRENTDROP)) - TOTALPAST=$(($PASTPACKETS + $PASTDROP)) - TOTAL=$(($TOTALCURRENT - $TOTALPAST)) + TOTALCURRENT=$((CURRENTPACKETS + CURRENTDROP)) + TOTALPAST=$((PASTPACKETS + PASTDROP)) + TOTAL=$((TOTALCURRENT - TOTALPAST)) LOSS=$(echo 4 k $DROPPED $TOTAL / p | dc) echo "suridrop drop=$LOSS" fi else echo "suridrop drop=0" -fi +fi \ No newline at end of file diff --git a/salt/telegraf/scripts/zeekloss.sh b/salt/telegraf/scripts/zeekloss.sh index 0cdef896c..966de8e4d 100644 --- a/salt/telegraf/scripts/zeekloss.sh +++ b/salt/telegraf/scripts/zeekloss.sh @@ -45,6 +45,6 @@ else CURRENTPACKETS=${RESULT[5]} PASTPACKETS=${RESULT[11]} TOTAL=$((CURRENTPACKETS - PASTPACKETS)) - LOSS=$(echo 4k $DROPPED $TOTAL / p | dc) + LOSS=$(echo 4 k $DROPPED $TOTAL / p | dc) echo "zeekdrop drop=$LOSS" fi \ No newline at end of file