Snort mailing list archives
Re: snort.stats key-value mapping (Solved)
From: Juan Jesus Prieto <jjprieto () redborder org>
Date: Tue, 14 Apr 2015 09:22:55 +0200
Hi Karolis, What version of snort are you testing? I would like to check the source code for the perfmonitor preprocessor. Regrads. El lun, 13-04-2015 a las 20:29 +0300, Karolis escribió:
Hi Juan,
I have found the root cause of the problem. Snort all the time
outputted key-value pairs correctly. It seems that snort upgrade
changed the number of statistics monitored. I have formed the array
exactly as you are "head'ed" the keys and "tail'ed" the latest values
whats why they do not correlate anymore. I will modify the script so
it reads keys from the end of the file to avoid such problems in the
future.
Karolis
On Mon, Apr 13, 2015 at 10:59 AM, Juan Jesus Prieto
<jjprieto () redborder org> wrote:
Hi Karolis,
Could you attach a stat file content example? every key
should be accompanied with their corresponding value, one on
one.
Regards.
El jue, 09-04-2015 a las 19:46 +0300, Karolis escribió:
> Hi Juan,
>
>
> Thanks for reply. I have got same associative array but can
> I rely on it?
> As I mentioned there are 96 keys and 131 values in the
> snort.stats file.
> How do you know that first 96 keys correspond to the first
> 96 values
> on one to one relationship and only the last values misses
> keys?
> Can it be what there are gaps in key value pairs eg. key 10
> correspond to value 12?
>
>
> Karolis
>
>
>
>
>
> On Mon, Apr 6, 2015 at 11:14 AM, Juan Jesus Prieto
> <jjprieto () redborder org> wrote:
>
> Hi Karolis,
>
> The manual is out-of-date at this point. I use
> scripting for dinamically map this pairs. For
> example:
>
>
> # declare -A v; \
> keys=( $(head /var/log/snort/snort.stats -n2 | tail -n1 | sed 's/^#//' | tr ',' ' ') ); \
> count=0; \
> for n in $(tail /var/log/snort/snort.stats -n1 | tr ',' ' '); do \
> v[${keys[$count]}]=$n; \
> count=$(($count+1)); \
> done; \
> echo "stream5_mem_in_use: ${v['stream5_mem_in_use']}"; \
> echo "curr_tcp_sessions_established: ${v['curr_tcp_sessions_established']}"
> stream5_mem_in_use: 13950060
> curr_tcp_sessions_established: 5195
>
>
>
> This small script will map into a hash (named 'v')
> all pairs key/value and present last values from
> stats file (stream5_mem_in_use and
> curr_tcp_sessions_established in this example).
>
> Another option is to use my snmp passthrou agent:
>
> https://github.com/redBorder/rb_snmp_pass
>
> You will need to adapt it for your case.
>
>
> El mar, 31-03-2015 a las 10:03 +0300, Karolis
> escribió:
>
> > Hi,
> >
> > I am trying to map perfmonitor preprocessors
> > statistics keys to values.
> >
> >
> > config:
> > preprocessor perfmonitor: time 300
> > file /nsm/sensor_data/"sensor-name"/snort.stats
> > pktcnt 10000
> >
> >
> >
> > snort manual states "There are over 100
> > individual statistics included. A header line is
> > output at startup and rollover that labels each
> > column." although only 75 keys are listed.
> >
> >
> > snort.stats file has 96 keys and 131 values.
> >
> >
> > How can I correctly map keys to values?
> >
> >
> > Karolis
> >
> >
> >
> >
> >
> >
> >
> > ------------------------------------------------------------------------------
> > Dive into the World of Parallel Programming The Go Parallel Website, sponsored
> > by Intel and developed in partnership with Slashdot Media, is your hub for all
> > things parallel software development, from weekly thought leadership blogs to
> > news, videos, case studies, tutorials and more. Take a look and join the
> > conversation now. http://goparallel.sourceforge.net/
> > _______________________________________________ Snort-users mailing list Snort-users () lists
sourceforge net Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay
current on all the latest Snort news!
>
>
>
>
> ------------------------------------------------------------------------------
> BPM Camp - Free Virtual Workshop May 6th at 10am
> PDT/1PM EDT
> Develop your own process in accordance with the BPMN
> 2 standard
> Learn Process modeling best practices with Bonita
> BPM through live exercises
> http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
> source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or
> unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current
> on all the latest Snort news!
>
>
>
>
> ------------------------------------------------------------------------------
> BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
> Develop your own process in accordance with the BPMN 2 standard
> Learn Process modeling best practices with Bonita BPM through live exercises
> http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
> source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
> _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge
net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit
http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2
standard
Learn Process modeling best practices with Bonita BPM through
live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the
latest Snort news!
------------------------------------------------------------------------------
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to
this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users
list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org
to stay current on all the latest Snort news!
------------------------------------------------------------------------------ BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT Develop your own process in accordance with the BPMN 2 standard Learn Process modeling best practices with Bonita BPM through live exercises http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_ source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: snort.stats key-value mapping (Solved) Karolis (Apr 13)
- Re: snort.stats key-value mapping (Solved) Juan Jesus Prieto (Apr 14)
- Re: snort.stats key-value mapping (Solved) Karolis (Apr 14)
- Re: snort.stats key-value mapping (Solved) Juan Jesus Prieto (Apr 14)
- Re: snort.stats key-value mapping (Solved) Karolis (Apr 14)
- Re: snort.stats key-value mapping (Solved) Juan Jesus Prieto (Apr 14)