From bb1ee0ead5d32a6eb29ffcb5d2c712102b1d5eeb Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 29 Nov 2018 11:35:14 -0500 Subject: [PATCH] Telegraf - Fix Suri script so it requires 2 drops in a row --- salt/common/telegraf/scripts/suriloss.sh | 24 +++++++++++++++--------- salt/common/tools/brostatus.sh | 0 salt/suricata/files/suricata.yaml | 2 +- 3 files changed, 16 insertions(+), 10 deletions(-) create mode 100644 salt/common/tools/brostatus.sh diff --git a/salt/common/telegraf/scripts/suriloss.sh b/salt/common/telegraf/scripts/suriloss.sh index 4cd363253..1445b9e87 100644 --- a/salt/common/telegraf/scripts/suriloss.sh +++ b/salt/common/telegraf/scripts/suriloss.sh @@ -1,15 +1,21 @@ #!/bin/bash SURILOG=$(tac /var/log/suricata/stats.log | grep kernel | head -4) -declare RESULT=($SURILOG) +CHECKIT=$(echo $SURILOG | grep drop | wc -l) -CURRENTDROP=${RESULT[4]} -PASTDROP=${RESULT[14]} -DROPPED=$(($CURRENTDROP - $PASTDROP)) +if [ $CHECKIT == 2 ]; then + declare RESULT=($SURILOG) -CURRENTPACKETS=${RESULT[9]} -PASTPACKETS=${RESULT[19]} -TOTAL=$(($CURRENTPACKETS - $PASTPACKETS)) + CURRENTDROP=${RESULT[4]} + PASTDROP=${RESULT[14]} + DROPPED=$(($CURRENTDROP - $PASTDROP)) -LOSS=$(echo $DROPPED $TOTAL / p | dc) -echo "suridrop drop=$LOSS" + CURRENTPACKETS=${RESULT[9]} + PASTPACKETS=${RESULT[19]} + TOTAL=$(($CURRENTPACKETS - $PASTPACKETS)) + + LOSS=$(echo $DROPPED $TOTAL / p | dc) + echo "suridrop drop=$LOSS" +else + echo "suridrop drop=0" +fi diff --git a/salt/common/tools/brostatus.sh b/salt/common/tools/brostatus.sh new file mode 100644 index 000000000..e69de29bb diff --git a/salt/suricata/files/suricata.yaml b/salt/suricata/files/suricata.yaml index 6bbcc59ed..5477245b2 100644 --- a/salt/suricata/files/suricata.yaml +++ b/salt/suricata/files/suricata.yaml @@ -77,7 +77,7 @@ stats: enabled: yes # The interval field (in seconds) controls at what interval # the loggers are invoked. - interval: 8 + interval: 30 # Configure the type of alert (and other) logging you would like. outputs: