Re: Snort Performance Stats

[Mike Lococo <mike.lococo () NYU EDU>]

> Does anyone know of a good tool that can be used to generate graphical
> outputs of snorts statistics file. I’m not talking about the “alerts”
> file but the file used to report snorts overall stats when you enable the:
>
> preprocessor perfmonitor: time 300 file /etc/snort/stats/snort.stats
> pktcnt 10000
>
> I want to be able to create graphical stats on this file similar to what
> “snortalog” does for the alerts file.

We use Zabbix for all of our system monitoring and graphing, and are 
generally happy with it.  In order to monitor snort stats, you need a 
"user-parameter" that executes a tail -n1 (to get the most recent line) 
piped into an awk (to print a particular column).  The syntax is a 
little funny because both Zabbix user-params and awk use '$' as a 
special character, but it's not too bad and once you've got it sorted 
out you can re-use the pattern on pretty much any numeric logfile.

The initial setup for Zabbix is non-trivial, but as system-monitoring 
systems go I think it has a relatively gentle learning curve.  Once 
you're past the deployment hump, though, you'll pretty much never ask 
"how do I collect/process status data for X" again.

Cheers,
Mike Lococo