Snort mailing list archives
Re: statistics that Snort can do
From: Terence Runge <terencerunge () sbcglobal net>
Date: Tue, 17 Jun 2003 00:11:59 -0700
I had this saved with an older config, written orignally by Sandro Poppi. I haven't tried this since 1.8.x, but it's worth a look.
#!/bin/bash # Script to generate and extract snort statistics from syslog or given file # generated after kill -USR1 <snort-pid> # # This script assumes that the pid is logged into the logfile! # This can be obtained using the following line in snort.conf: # output alert_syslog: LOG_AUTH LOG_ALERT LOG_PID # # (c) Sandro Poppi 2001 # Released under GPL echo "Starting gathering snort internal statistics. Please be patient..." if [ "$1." == "." -o ! -e "$1" ] ; then # no or unexistent file given, using default log_file="/var/log/messages" else# when using non-standard logfile location make sure snort uses this logfile
# when sending signal USR1 else this script won't work! log_file="$1" fi # find out snort pids snort_pid=`/sbin/pidof snort` # get internal statistics for all snort processes # not using killall to get already sorted output for i in `echo $snort_pid` ; do kill -USR1 $i # sleep for 2 secs to let snort time to send statistics to syslog ;) sleep 2 done # immediately restart snort after sending signal USR1# this may be ommitted when using CVS version of snort after about 01.11.2001
# or any version from 1.8.2 or higher /etc/rc.d/init.d/snortd restart for i in `echo $snort_pid` ; do # process logfile filename=/var/log/snort/archive/snort.`date "+%Y-%m-%d"`.$i.log# check for existing file and rename it if existing
if [ -e "$filename" ] ; then mv "$filename" "$filename.bak" fi egrep "snort\[$i\]:" $log_file > "$filename" # check if there are dropped packets using lines like # Oct 22 18:02:06 xbgh17183 snort[573]: dropping 0(0.000%) packetsif [ "`egrep "dropping" $filename | awk -F "[ (]" '{ print $7 }'`" != "0" -a \
"`egrep -c "dropping" $filename`" != "0" ] ; thenecho "Snort's dropping packets!!! Take a look on the configuration and/or the system's performance!!!"
fi done echo "Gathering snort internal statistics finished..." Kreimendahl, Chad J wrote:
of note... you appear to only be able to -USR1 a snort 1 time... it dies the second time you -USR1 it. (my experience... on solaris...) There's also a semi-undocumented way to dump stats (perfstats) at selected intervals... I believe there is info in the snort.conf file about this. -----Original Message-----From: Erek Adams [mailto:erek () snort org] Sent: Monday, June 16, 2003 2:34 PMTo: Francesco Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] statistics that Snort can do On Mon, 16 Jun 2003, Francesco wrote:If and when you exit Snort, you can get a statistics report of some significance. The point is you only get them (including the package drop rate) whenyouexit ! I suppose it would be good the user could monitor these data anytime. I looked at the command line but I find no option available for thispurpose.Am I wrong? any idea how to do that? Please do not say use Acid or something else.. I'd like to know if wecanget these info straight from Snort. At first.kill -USR1 <snort_pid> Will dump them into syslog. Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson ------------------------------------------------------- This SF.NET email is sponsored by: eBay Great deals on office technology -- on eBay now! Click here: http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.Net email is sponsored by: INetU Attention Web Developers & Consultants: Become An INetU Hosting Partner. Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission! INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=ort-users
------------------------------------------------------- This SF.Net email is sponsored by: INetU Attention Web Developers & Consultants: Become An INetU Hosting Partner. Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission! INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- statistics that Snort can do Francesco (Jun 16)
- Re: statistics that Snort can do Brian (Jun 16)
- Re: statistics that Snort can do Erek Adams (Jun 16)
- <Possible follow-ups>
- RE: statistics that Snort can do Kreimendahl, Chad J (Jun 16)
- Re: statistics that Snort can do Terence Runge (Jun 17)