Snort IP Flow monitoring - Patch for writing to a file

[Dheeraj Gupta <dheeraj.gupta4 () gmail com>]

Hi,
I am using Snort-2.9.3.1. I tried to enable ip-flow monitoring with the
write to file option using the configuration
preprocessor perfmonitor: time 300 file /var/log/snort/snort.stats pktcnt
1000 max_file_size 100000 flow-ip flow-ip-file /var/log/snort/ipflow.csv
flow-ip-memcap 10000000000 time 300

It worked but there was a slight problem - The IP flow statistics were
computed, but written to the file only at the end of snort execution (At
Snort exit). Upon inspection of the source code, the file
src/preprocessors/perf-flow.c did not have an fflush() call in the
definition of the function 'static int WriteFlowIPStats(SFFLOW *sfFlow,
FILE *fp)'. I added an fflush(fp) at line 774 and recompiled snort. The
flow IP monitoring is now working fine (Output is correctly flushed to a
file at end of specified interval). I have enclosed a patch with this mail
which can be applied using
$ cd snort-2.9.3.1
Once you are inside the extracted snort folder
$ patch -p5 < snort_ip_flow.patch

I hope subsequent versions of snort will resolve this issue.

Regards,
Dheeraj

Attachment: snort_ip_flow.patch
Description:

------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!