Snort mailing list archives
Re: Snort IP Flow monitoring - Patch for writing to a file
From: Todd Wease <twease () sourcefire com>
Date: Wed, 5 Dec 2012 09:28:17 -0500
On Wed, Dec 5, 2012 at 12:14 AM, Dheeraj Gupta <dheeraj.gupta4 () gmail com>wrote:
Hi, I am using Snort-2.9.3.1. I tried to enable ip-flow monitoring with the write to file option using the configuration preprocessor perfmonitor: time 300 file /var/log/snort/snort.stats pktcnt 1000 max_file_size 100000 flow-ip flow-ip-file /var/log/snort/ipflow.csv flow-ip-memcap 10000000000 time 300 It worked but there was a slight problem - The IP flow statistics were computed, but written to the file only at the end of snort execution (At Snort exit). Upon inspection of the source code, the file src/preprocessors/perf-flow.c did not have an fflush() call in the definition of the function 'static int WriteFlowIPStats(SFFLOW *sfFlow, FILE *fp)'. I added an fflush(fp) at line 774 and recompiled snort. The flow IP monitoring is now working fine (Output is correctly flushed to a file at end of specified interval). I have enclosed a patch with this mail which can be applied using $ cd snort-2.9.3.1 Once you are inside the extracted snort folder $ patch -p5 < snort_ip_flow.patch I hope subsequent versions of snort will resolve this issue. Regards, Dheeraj
Dheeraj, Thanks for the patch. However, this has already been identified and fixed and will be available in an upcoming snort release. Todd
------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Snort IP Flow monitoring - Patch for writing to a file Dheeraj Gupta (Dec 04)
- Re: Snort IP Flow monitoring - Patch for writing to a file Todd Wease (Dec 05)