Snort mailing list archives
Re: Snort Statistics on Shutdown
From: Martin Roesch <roesch () sourcefire com>
Date: Thu, 5 Aug 2004 14:11:18 -0400
The only way it can be talking to stdout is if the daemon_flag isn't getting set and since you're going into daemon mode that can't be it. You aren't using the -q switch are you?
-Marty
void LogMessage(const char *format,...)
{
char buf[STD_BUF+1];
va_list ap;
if(pv.quiet_flag && !pv.daemon_flag)
return;
va_start(ap, format);
if(pv.daemon_flag)
{
vsnprintf(buf, STD_BUF, format, ap);
syslog(LOG_DAEMON | LOG_NOTICE, "%s", buf);
}
else
{
vfprintf(stderr, format, ap);
}
va_end(ap);
}
On Aug 5, 2004, at 11:31 AM, sekure wrote:
I think what happens is that Snort dumps those stats to stdout, at least that has been my experience. So if Snort is running in daemon mode when its killed, you don't get the stats in you syslog.On Thu, 5 Aug 2004 11:05:54 -0400, Martin Roesch <roesch () sourcefire com> wrote:Hi Bill, I just checked the code and the DropStats() function is calling LogMessage() to output its info so they should be somewhere in your syslog files. You aren't reading a pcap file in daemon mode, are you? -Marty On Aug 4, 2004, at 11:59 PM, Bill Parker wrote:Ok, now that I have the pig at version 2.1.3, I was curious about another thing. I run snort in daemon mode and start/stop it with the init script provided (no problems at all), but I was under the impression that snort when it shuts down, should generate some stats as to how many packets were processed, etc. I see the snort startup in /var/log/messages, should I not see stuff in there when it shuts down? Bill-- Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616 Sourcefire: Intelligent Security Monitoring roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org -------------------------------------------------------This SF.Net email is sponsored by OSTG. Have you noticed the changes onLinux.com, ITManagersJournal and NewsForge in the past few weeks? Now,one more big change to announce. We are now OSTG- Open Source TechnologyGroup. Come see the changes on the new OSTG site. www.ostg.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616 Sourcefire: Intelligent Security Monitoring roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org ------------------------------------------------------- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort Statistics on Shutdown Bill Parker (Aug 04)
- Re: Snort Statistics on Shutdown Martin Roesch (Aug 05)
- Re: Snort Statistics on Shutdown sekure (Aug 05)
- Re: Snort Statistics on Shutdown Martin Roesch (Aug 05)
- Re: Snort Statistics on Shutdown sekure (Aug 05)
- Re: Snort Statistics on Shutdown sekure (Aug 05)
- Re: Snort Statistics on Shutdown Martin Roesch (Aug 05)
- <Possible follow-ups>
- RE: Snort Statistics on Shutdown Esler, Joel - Contractor (Aug 05)
- Re: Snort Statistics on Shutdown Martin Roesch (Aug 05)