RE: preprocessor perfmonitor fields

["Lee Clemens" <snort () leeclemens net>]

Excellent! yet another reason to be using linux I guess...i need to get that
box back up and running soon...that's the third answer that would have been
answered for me if I could see the source code...thanks for the help!

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Alejandro
Flores
Sent: Thursday, March 17, 2005 6:18 AM
To: Lee Clemens
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] preprocessor perfmonitor fields

Hey,

> I'm outputting perfmonitor to a file and I can't see any documentation as
to
> what fields are what. Since it is to a file, the manual just says that not
> all fields are recorded (from the bulleted list above).

Excerpt from snort-2.3.0/src/preprocessors/perf-base.c:676
/*
 *
 *   Log Base Per Stats to File for Use by the MC
 *
 * unixtime(in secs since epoch)
 * %pkts dropped
 * mbits/sec
 * alerts/sec
 * K-Packets/Sec
 * Avg Bytes/Pkt
 * %bytes pattern matched
 * syns/sec
 * synacks/sec
 * new-sessions/sec
 * del-sessions/sec
 * total-sessions open
 * max-sessions
 * streamflushes/sec
 * streamfaults/sec
 * streamtimeouts
 * fragcompletes/sec
 * fraginserts/sec
 * fragdeletes/sec
 * fragflushes/sec
 * fragtimeouts
 * fragfaults
 * %user-cpu usage
 * %sys-cpu usage
 * %idle-cpu usage
 */


> As per development, maybe the first field could simply be comma delimited
> field names, depending on the options set in snort.conf? I wouldn't mind
> sorting through a few of these if it outputted did this every time the
> service starts...but for now, is there a way I can tell what the values
> represent?

You can't customize what will be outputed.

> btw, I'm using windows and Snort running as-is (no ACID, BASE, etc), so
I'm
> not sure what console output would do...

As you're running on windows, running snort as a service, you can't
see the console output. If you run snort from a dos window, you'll se
the console output.
Log to mysql if you want to have a way to analise those alerts, and
use BASE to analise them.

Regards,
Alejandro Flores


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users