Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort+ : loging in afpacket mode

From: Meridoff via Snort-users <snort-users () lists snort org>
Date: Tue, 2 Oct 2018 17:46:34 +0300
Or may be to flock() on file writing, so that only one thread can write
alert buffer at a time

вт, 2 окт. 2018 г. в 17:11, Meridoff <oagvozd () gmail com>:




ср, 26 сент. 2018 г. в 1:05, Meridoff <oagvozd () gmail com>:


Yes, i think it is true. My test was only from one peer, so it processed
by one daq thread so by one packet thread which writes its own log. (for
fanout). Without hashed fanout - several threads that do the same
processing of one flow - we have several the logs of alerts.



1) Is snort3 supports writing alerts to only one file by several threads?
For example if I recompile snort in a way that no runprefix will be added
to log/alert file - so all threads will write to one file.

They already do, but I'am afraid that snort3 doesn't support this and
resulting log file will have mixed (shufling) data .

2) Also  - does  a way exist (except ,of cause, scripting by myself)  to
combine togather several alert_logs.txt.N - logs from different threads ?
For example by time - in a way alerts appear during timeline..





пн, 24 сент. 2018 г. в 20:27, Shravan Rangarajuvenkata (shrarang) <
shrarang () cisco com>:


Snort creates one DAQ instance per-thread and each DAQ instance creates
one packet socket. When fanout mode is used, each packet is sent to only
one socket in the fanout group. When you set fanout_type to hash, all
packets belonging to one flow are sent to one socket. Socket is selected
based on the hash created for the flow. And the hash is a function of the
network addresses of the flow. Please refer to “man packet” for more
information regarding fanout options.



I am assuming when you were using fanout options, both the scp flows
went to the same snort thread and therefore, you see only one alert file.
When you were not using fanout options, each packet was being sent to all
the snort threads and each thread was creating alerts. And thus, you had 4
alerts files with duplicate alerts.



To confirm the above, can you please provide us more information?

   1. Were you seeing the same alerts in all 4 log files when you were
   not using fanout options?
   2. Did you miss any alerts when you used the fanout options? You
   should not see any duplicate alerts when using fanout but all the unique
   alerts should still be generated.



Thanks,

Shravan


-------- Forwarded Message --------

*Subject: *

[Snort-users] Snort+ : loging in afpacket mode

*Date: *

Thu, 20 Sep 2018 20:46:03 +0300

*From: *

Meridoff via Snort-users <snort-users () lists snort org>
<snort-users () lists snort org>

*Reply-To: *

Meridoff <oagvozd () gmail com> <oagvozd () gmail com>

*To: *

snort-users () lists snort org



Hello

I run 4 packet threads if afpacket tap mode in alert_fast mode.

I can see 4 log files (0..4_alert_fast.txt) which are the same - cause 4
daq threads run.



Now I set fanout_type to hash (and fanout_flag to rollover or defrag )
and I see that logging go to in only 1 file (e.g. 1_alert_fast.txt).



I test all this by one rule "tcp any any" and 2 scp process to generate
traffic (2 Big file transfer in parallel)



How it (difference in number of log files that are writen) can be
explained ?






_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Previous By Date Next
Previous By Thread Next

Current thread: