A few days ago I found that netstat call ate a lot of CPU time on my Amazon
EC2 instances. After some research it turned out that the rootcheck port
checking is not optimal:
netstat -an | grep \"^%s\" | " \
> "grep \"[^0-9]%d \" > /dev/null 2>&1
So, there is a small patch, contained a little bit of optimization (a half
CPU usage time less expected)
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
--- ossec-hids-2.7/src/rootcheck/check_rc_ports.c.orig 2012-11-08 21:24:55.000000000 -0500
+++ ossec-hids-2.7/src/rootcheck/check_rc_ports.c 2013-02-06 07:22:52.000000000 -0500
@@ -32,11 +32,19 @@
"cut -d ':' -f 2 | cut -d ' ' -f 1"
#define NETSTAT "netstat -an | grep \"^%s\" | " \
"grep \"[^0-9]%d \" > /dev/null 2>&1"
+#define NETSTAT_TCP "netstat -ant | " \
+ "grep \"[^0-9]%d \" > /dev/null 2>&1"
+#define NETSTAT_UDP "netstat -anu | " \
+ "grep \"[^0-9]%d \" > /dev/null 2>&1"
#endif
#ifndef NETSTAT
#define NETSTAT "netstat -an | grep \"^%s\" | " \
"grep \"[^0-9]%d \" > /dev/null 2>&1"
+#define NETSTAT_TCP "netstat -ant | " \
+ "grep \"[^0-9]%d \" > /dev/null 2>&1"
+#define NETSTAT_UDP "netstat -anu | " \
+ "grep \"[^0-9]%d \" > /dev/null 2>&1"
#endif
@@ -46,9 +54,9 @@
char nt[OS_SIZE_1024 +1];
if(proto == IPPROTO_TCP)
- snprintf(nt, OS_SIZE_1024, NETSTAT, "tcp", port);
+ snprintf(nt, OS_SIZE_1024, NETSTAT_TCP, port);
else if(proto == IPPROTO_UDP)
- snprintf(nt, OS_SIZE_1024, NETSTAT, "udp", port);
+ snprintf(nt, OS_SIZE_1024, NETSTAT_UDP, port);
else
{
merror("%s: Netstat error (wrong protocol)", ARGV0);
