Snort mailing list archives

(no subject)

From: "Chris Eidem" <jceidem () dexma com>
Date: Wed, 3 Apr 2002 15:01:45 -0600

Hey y'all,

I've got a script that I use to roll over my snort logs that runs a kill
-USR1 to get stats off of the interface before I kill it and start it
again.  It works as advertised (sorta).  The problem I have is that I'll
get something like this on once in a while:

Mar 25 00:45:01 cubanelle snort:
===================================================
Mar 25 00:45:01 cubanelle snort: Snort analyzed 3841947 out of 3842657
packets, 
Mar 25 00:45:01 cubanelle snort: dropping 710(0.018%) packets  
Mar 25 00:45:01 cubanelle snort: Breakdown by protocol:
Action Stats: 
Mar 25 00:45:01 cubanelle snort:
===================================================
Mar 25 00:45:01 cubanelle snort: Snort analyzed 3841947 out of 3842657
packets, 
Mar 25 00:45:01 cubanelle snort: dropping 710(0.018%) packets  
Mar 25 00:45:01 cubanelle snort: Breakdown by protocol:
Action Stats: 
Mar 25 00:45:01 cubanelle snort:     TCP: 3376791    (87.876%)
ALERTS: 4386       
Mar 25 00:45:01 cubanelle snort:     UDP: 227845     (5.929%)
LOGGED: 1504       
Mar 25 00:45:01 cubanelle snort:    ICMP: 24877      (0.647%)
PASSED: 2663       
Mar 25 00:45:01 cubanelle snort:     ARP: 3193       (0.083%) 
Mar 25 00:45:01 cubanelle snort:    IPv6: 0          (0.000%) 
Mar 25 00:45:01 cubanelle snort:     IPX: 0          (0.000%) 
Mar 25 00:45:01 cubanelle snort:   OTHER: 208496     (5.426%) 
Mar 25 00:45:01 cubanelle snort: DISCARD: 0          (0.000%) 
Mar 25 00:45:01 cubanelle snort:
===================================================

Now, I run the kill -USR1 just before I run a kill on the process.  Is
this something that would be cured with a sleep between the calls, or is
this caused by something else.  I don't get a whole lot of syslogging
going on, so I don't believe that the syslogd is overwhelmed (perhaps
it's just whelmed...)

tia
 - chris 

Chris Eidem                        Dexma, Inc.
Network Administrator              7701 York Av. S.
Phone: 952.229.1311                Edina, MN 55435

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

(no subject) Federico Rena (Apr 09)
- Re: (no subject) Matt Kettler (Apr 09)
- <Possible follow-ups>
- (no subject) Federico Rena (Apr 10)
- (no subject) Federico Rena (Apr 10)
  - Re: (no subject) John Sage (Apr 10)
- (no subject) Federico Rena (Apr 10)
- RE: (no subject) Omolayo Salako (Apr 10)
- (no subject) rakesh (Apr 11)
- (no subject) Ha Hoang (Apr 13)
- (no subject) Chris Eidem (Apr 14)
  - Re: (no subject) Erek Adams (Apr 14)
- RE: (no subject) Chris Eidem (Apr 15)
  - RE: Syslog Coughs? Erek Adams (Apr 15)
- (no subject) C Boss (Apr 25)
  - Re: (no subject) Ralf Hildebrandt (Apr 25)
- (no subject) Zero Dark (May 04)
  - Re: (no subject) Matt Kettler (May 04)
- (no subject) Vadim Pushkin (May 07)
- (no subject) Z . Qili (May 07)
- (no subject) John Maestrale (May 20)

(Thread continues...)