Snort mailing list archives
RE: Snort packet stats
From: <BShinn () empirecorp org>
Date: Fri, 17 May 2002 00:50:05 -0400
I set up swatch to run with the following command: swatch -c /usr/local/swatch/swatch.snort -t /var/log/messages the contents of the swatch.snort config file look like this: /Snort analyzed/ echo /The kernel dropped/ echo Sending kill -10 to snort yield the first two lines of the stats to swatch: May 16 23:43:55 yourhost snort: Snort analyzed 4955 out of 4956 packets, May 16 23:43:55 yourhost snort: The kernel dropped 0(0.000%) packets I suppose you could echo them anywhere... in fact, since swatch allows you to run almost anything based on particular content, I am sure you could pass the data into MRTG, NetSaint, or MySQL..but clearly something more crafty than echoing to the console. I had to edit swatch.pl to change the default location of tail to match mine. This is not really off-topic since performance of the sensors is everything. I am going to go back through the listserv (since I know this is not a new topic) and try to find all the methods people are using to gather this info. I need to justify faster sensors or more span sessions somehow. Bill -----Original Message----- From: Ed McMan [mailto:edmcman () despammed com] Sent: Thursday, May 16, 2002 10:48 PM To: BShinn () empirecorp org; bthaler () webstream net; snort-users () lists sourceforge net Subject: Re: [despammed] RE: [Snort-users] Offtopic - Snort packet stats Why not killall -10 snort ? ------------------------------------------------------------- |Eddie J Schwartz <EdMcMan () despammed com> http://www.m00.net| | AIM: The Cypher ICQ: 35576339 YHOO: edmcman2 MSN: ^^ | | "We Trills have an expression--at forty, you think you | | know everything. At four hundred, you realize you know | | nothing." - Dax, Star Trek Deep Space 9 | ------------------------------------------------------------- ----- Original Message ----- From: <BShinn () empirecorp org> To: <bthaler () webstream net>; <snort-users () lists sourceforge net> Sent: Thursday, May 16, 2002 10:37 PM Subject: [despammed] RE: [Snort-users] Offtopic - Snort packet stats
Sending SIGUSER1 to snort will dump the stats to syslog while the program continues to run. While I am still learning how to do this... If one were to write a script that grabs the pid from snort, either from a pid file or from a grep of ps -A , then send kill -10 to that pid, snort will dump the running stats to syslog (/var/log/messages on my RH 7.2).... I also tried piping the output to a file as you did, but since it always dumps it to the syslog, not the terminal, I am thinking I need to parse
that
some how. -----Original Message----- From: bthaler () webstream net [mailto:bthaler () webstream net] Sent: Thursday, May 16, 2002 3:30 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Offtopic - Snort packet stats Sorry if this is a bit off topic, but: I'm using kill -30 on my OBSD-3.0 system to view the packet stats that
snort
generates. I would like take this output and mail it to an email address, but I'm having no luck. Here is what I have tried so far: kill -30 xxxx | mail -s "Snort Packet Stats" email () address com kill -30 xxxx > snortstat.txt kill -30 xxxx | tee snortstat.txt Funny thing is, these work fine for sending other commands to a file or such, but not "kill" for some reason.
_______________________________________________________________ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: bandwidth () sourceforge net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Snort packet stats BShinn (May 16)