I'm using monit 5.11 to monitor the network with:
check network eth0 with interface eth0 if total download > 1 GB in last 2 hours then alert
Just after 1:00 in the morning I get e-mails alerting me that the threshold was passed, but this does not make any sense for that server, given that the total network counts are below that. Looking at the monit source code, I think this is a bug in libmonit/src/system/NetStatistics.c in _deltaHour, where the download rate over the last 2 hours is calculated:
int delta = stop - count; int start = delta < 0 ? 24 + delta + 1 : delta; return data->hour[start] > -1LL ? data->hour[stop] - data->hour[start] : 0LL;
Here: count=2, stop is the current hour, stop=1. So delta=-1 and start = 24. But start is used as index in data->hour, which is an array of size 24. So this is a out-of-bounds access, which in my case evaluates to some large value triggering the alert.
The code should be changed to:
int start = delta < 0 ? 24 + delta : delta;
A similar problem affects _deltaMinute.