Snort mailing list archives
Snort IP Flow monitoring - Patch for writing to a file
From: Dheeraj Gupta <dheeraj.gupta4 () gmail com>
Date: Wed, 5 Dec 2012 10:44:01 +0530
Hi, I am using Snort-2.9.3.1. I tried to enable ip-flow monitoring with the write to file option using the configuration preprocessor perfmonitor: time 300 file /var/log/snort/snort.stats pktcnt 1000 max_file_size 100000 flow-ip flow-ip-file /var/log/snort/ipflow.csv flow-ip-memcap 10000000000 time 300 It worked but there was a slight problem - The IP flow statistics were computed, but written to the file only at the end of snort execution (At Snort exit). Upon inspection of the source code, the file src/preprocessors/perf-flow.c did not have an fflush() call in the definition of the function 'static int WriteFlowIPStats(SFFLOW *sfFlow, FILE *fp)'. I added an fflush(fp) at line 774 and recompiled snort. The flow IP monitoring is now working fine (Output is correctly flushed to a file at end of specified interval). I have enclosed a patch with this mail which can be applied using $ cd snort-2.9.3.1 Once you are inside the extracted snort folder $ patch -p5 < snort_ip_flow.patch I hope subsequent versions of snort will resolve this issue. Regards, Dheeraj
Attachment:
snort_ip_flow.patch
Description:
------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Snort IP Flow monitoring - Patch for writing to a file Dheeraj Gupta (Dec 04)
- Re: Snort IP Flow monitoring - Patch for writing to a file Todd Wease (Dec 05)