Snort mailing list archives
Re: Alert payloads not matching alert rules
From: "Paul Melson" <pmelson () gmail com>
Date: Mon, 27 Nov 2006 16:10:17 -0500
-----Original Message----- Subject: Re: [Snort-users] Alert payloads not matching alert rules
For Joel's question : is there any reliable way to get know much traffic
is dropped ? Does this
information appear in the output of the "performance" preprocessor ?
You can send a USR1 signal to each of the Snort processes and Snort will dump stats to syslog, including a dropped packet percentage.* The way I collect this data is I have a very simple script that runs hourly. Each snort.conf file for each instance of snort specifies the pidfile by interface (snort_eth1.pid, snort_eth2.pid, etc.). This comes in handy for creating a history of packet loss by interface. It's not pretty, but it's short: #!/bin/sh for iface in eth1 eth2 eth3 do pid=`cat /var/run/snort_$iface.pid` kill -USR1 $pid grep Dropped /var/log/messages |grep $pid >> /var/log/snort/$iface_drops.txt done The file looks something like: Nov 27 00:00:01 petunia snort[14664]: Dropped: 0(0.000%) Nov 27 00:01:02 petunia snort[14664]: Dropped: 3599(11.267%) BTW, if you discover a solution to your problem, please post back to the list with details. It sounds like there are a number of people with very similar configurations that are interested to hear what you find out. PaulM * This has been unreliable for me in the past using RedHat libpcap on REHL4. Snort will massively underestimate the number of packets it actually analyzed, skewing statistics wildly. This is very obvious when it's the case - statistics will often be mathematically impossible with percentages in the tens of thousands. YMMV. ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Alert payloads not matching alert rules spagno_f (Nov 21)
- Re: Alert payloads not matching alert rules Joel Esler (Nov 22)
- <Possible follow-ups>
- Re: Alert payloads not matching alert rules spagno_f (Nov 22)
- Re: Alert payloads not matching alert rules Joel Esler (Nov 22)
- Re: Alert payloads not matching alert rules Jason Haar (Nov 22)
- Re: Alert payloads not matching alert rules Joel Esler (Nov 27)
- Re: Alert payloads not matching alert rules Marc Norton (Nov 22)
- Re: Alert payloads not matching alert rules Joel Esler (Nov 22)
- Re: Alert payloads not matching alert rules spagno_f (Nov 23)
- Re: Alert payloads not matching alert rules Joel Esler (Nov 27)
- Re: Alert payloads not matching alert rules Paul Melson (Nov 27)