Snort mailing list archives
Re: Snort+ : loging in afpacket mode
From: Meridoff via Snort-users <snort-users () lists snort org>
Date: Tue, 2 Oct 2018 17:11:16 +0300
ср, 26 сент. 2018 г. в 1:05, Meridoff <oagvozd () gmail com>:
Yes, i think it is true. My test was only from one peer, so it processed by one daq thread so by one packet thread which writes its own log. (for fanout). Without hashed fanout - several threads that do the same processing of one flow - we have several the logs of alerts.
1) Is snort3 supports writing alerts to only one file by several threads? For example if I recompile snort in a way that no runprefix will be added to log/alert file - so all threads will write to one file. They already do, but I'am afraid that snort3 doesn't support this and resulting log file will have mixed (shufling) data . 2) Also - does a way exist (except ,of cause, scripting by myself) to combine togather several alert_logs.txt.N - logs from different threads ? For example by time - in a way alerts appear during timeline..
пн, 24 сент. 2018 г. в 20:27, Shravan Rangarajuvenkata (shrarang) < shrarang () cisco com>:Snort creates one DAQ instance per-thread and each DAQ instance creates one packet socket. When fanout mode is used, each packet is sent to only one socket in the fanout group. When you set fanout_type to hash, all packets belonging to one flow are sent to one socket. Socket is selected based on the hash created for the flow. And the hash is a function of the network addresses of the flow. Please refer to “man packet” for more information regarding fanout options. I am assuming when you were using fanout options, both the scp flows went to the same snort thread and therefore, you see only one alert file. When you were not using fanout options, each packet was being sent to all the snort threads and each thread was creating alerts. And thus, you had 4 alerts files with duplicate alerts. To confirm the above, can you please provide us more information? 1. Were you seeing the same alerts in all 4 log files when you were not using fanout options? 2. Did you miss any alerts when you used the fanout options? You should not see any duplicate alerts when using fanout but all the unique alerts should still be generated. Thanks, Shravan -------- Forwarded Message -------- *Subject: * [Snort-users] Snort+ : loging in afpacket mode *Date: * Thu, 20 Sep 2018 20:46:03 +0300 *From: * Meridoff via Snort-users <snort-users () lists snort org> <snort-users () lists snort org> *Reply-To: * Meridoff <oagvozd () gmail com> <oagvozd () gmail com> *To: * snort-users () lists snort org Hello I run 4 packet threads if afpacket tap mode in alert_fast mode. I can see 4 log files (0..4_alert_fast.txt) which are the same - cause 4 daq threads run. Now I set fanout_type to hash (and fanout_flag to rollover or defrag ) and I see that logging go to in only 1 file (e.g. 1_alert_fast.txt). I test all this by one rule "tcp any any" and 2 scp process to generate traffic (2 Big file transfer in parallel) How it (difference in number of log files that are writen) can be explained ?
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- Re: Snort+ : loging in afpacket mode Meridoff via Snort-users (Oct 02)
- Re: Snort+ : loging in afpacket mode Meridoff via Snort-users (Oct 02)