Snort mailing list archives

RE: Snort PID in /var/log/messages

From: "Basselgia, Barry A Mr (NAF Atsugi)" <BABasselgia () atsugi navy mil>
Date: Wed, 2 Feb 2005 11:36:41 +0900

Edin Dizdarevic wrote on Tuesday, February 01, 2005 9:47 PM:

I still do not _really_ understand what are you trying to achieve. :[
....
-- 
Edin Dizdarevic


What I'm talking about is anything that snort sends to syslog;
Initialization messages, Performance Stats, Errors, Alerts,...   Here is a
sample:

Feb  2 11:17:14 snort snort: [1:399:6] ICMP Destination Unreachable Host
Unreachable .....
Feb  2 11:17:15 snort barnyard[9767]: Exiting
Feb  2 11:17:15 snort barnyard[8881]: Exiting
Feb  2 11:17:16 snort barnyard[7066]: Initializing daemon mode
Feb  2 11:17:16 snort barnyard[7078]: Opened spool file
'/var/log/snort/snort.log.1107285310'
Feb  2 11:17:16 snort barnyard[7078]: Waiting for new data
Feb  2 11:17:21 snort snort:   Snort Realtime Performance  : Wed Feb  2
11:17:21 2005 ----------
Feb  2 11:17:21 snort snort: Pkts Recv:   241089
Feb  2 11:17:21 snort snort: Pkts Drop:   0
Feb  2 11:17:21 snort snort: % Dropped:   0.00%
Feb  2 11:17:21 snort snort: KPkts/Sec:   0.80
Feb  2 11:17:21 snort snort: Bytes/Pkt:   862
Feb  2 11:17:21 snort snort: Mbits/Sec:   5.24 (wire)
Feb  2 11:17:21 snort snort: Mbits/Sec:   0.27 (rebuilt)
Feb  2 11:17:21 snort snort: Mbits/Sec:   5.51 (total)
Feb  2 11:17:21 snort snort: PatMatch:    95.23%
Feb  2 11:17:21 snort snort: CPU Usage:   20.88% (user)  0.71% (sys)  78.41%
(idle)
Feb  2 11:17:25 snort barnyard[7280]: Initializing daemon mode
Feb  2 11:17:25 snort barnyard[7286]: Opened spool file
'/var/log/snort/snort-bond0.log.1107285310'
Feb  2 11:17:26 snort snort: [1:1437:6] MULTIMEDIA Windows Media download
......
Feb  2 11:17:26 snort barnyard[7286]: Waiting for new data

From the above, I can tell which instance of Barnyard is doing what.  But, I

have no way of knowing which instance of Snort generated the alerts or the
performance stats.

Jeremy Hewlett, responded that this request didn't get submitted in time for
Snort 2.3.  But, they are considering it for Snort 2.4.  In the mean time
I'll look through the code and see if I can figure out a patch.

Thanks,

Barry



-------------------------------------------------------
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

RE: Snort PID in /var/log/messages Basselgia, Barry A Mr (NAF Atsugi) (Jan 31)
- Re: Snort PID in /var/log/messages Edin Dizdarevic (Feb 01)
- Re: Snort PID in /var/log/messages Jeremy Hewlett (Feb 01)
- <Possible follow-ups>
- RE: Snort PID in /var/log/messages Basselgia, Barry A Mr (NAF Atsugi) (Feb 01)
  - Re: Snort PID in /var/log/messages Justin Heath (Feb 10)