Snort mailing list archives

Re: statistics that Snort can do

From: Terence Runge <terencerunge () sbcglobal net>
Date: Tue, 17 Jun 2003 00:11:59 -0700

I had this saved with an older config, written orignally by SandroPoppi. I haven't tried this since 1.8.x, but it's worth a look.


#!/bin/bash
# Script to generate and extract snort statistics from syslog or given file
# generated after kill -USR1 <snort-pid>
#
# This script assumes that the pid is logged into the logfile!
# This can be obtained using  the following line in snort.conf:
# output alert_syslog: LOG_AUTH LOG_ALERT LOG_PID
#
# (c) Sandro Poppi 2001
# Released under GPL

echo "Starting gathering snort internal statistics. Please be patient..."

if [ "$1." == "." -o ! -e "$1" ] ; then
 # no or unexistent file given, using default
 log_file="/var/log/messages"

else

# when using non-standard logfile location make sure snort uses thislogfile

 # when sending signal USR1 else this script won't work!
 log_file="$1"
fi

# find out snort pids
snort_pid=`/sbin/pidof snort`

# get internal statistics for all snort processes
# not using killall to get already sorted output
for i in `echo $snort_pid` ; do
 kill -USR1 $i

 # sleep for 2 secs to let snort time to send statistics to syslog ;)
 sleep 2
done

# immediately restart snort after sending signal USR1

# this may be ommitted when using CVS version of snort after about01.11.2001

# or any version from 1.8.2 or higher
/etc/rc.d/init.d/snortd restart

for i in `echo $snort_pid` ; do
 # process logfile

 filename=/var/log/snort/archive/snort.`date "+%Y-%m-%d"`.$i.log

# check for existing file and rename it if existing

 if [ -e "$filename" ] ; then
   mv "$filename" "$filename.bak"
 fi

 egrep "snort\[$i\]:" $log_file > "$filename"

 # check if there are dropped packets using lines like
 # Oct 22 18:02:06 xbgh17183 snort[573]: dropping 0(0.000%) packets

if [ "`egrep "dropping" $filename | awk -F "[ (]" '{ print $7 }'`" !="0" -a \

      "`egrep -c "dropping" $filename`" != "0" ] ; then

echo "Snort's dropping packets!!! Take a look on the configurationand/or the system's performance!!!"

 fi

done

echo "Gathering snort internal statistics finished..."

Kreimendahl, Chad J wrote:

of note...
you appear to only be able to -USR1 a snort 1 time... it dies the second
time you -USR1 it.  (my experience... on solaris...)

There's also a semi-undocumented way to dump stats (perfstats) at
selected intervals... I believe there is info in the snort.conf file
about this.

-----Original Message-----

From: Erek Adams [mailto:erek () snort org]Sent: Monday, June 16, 2003 2:34 PM

To: Francesco
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] statistics that Snort can do


On Mon, 16 Jun 2003, Francesco wrote:

If and when you exit Snort, you can get a statistics report of some
significance.
The point is you only get them (including the package drop rate) when

you

exit !

I suppose it would be good the user could monitor these data anytime.
I looked at the command line but I find no option available for this

purpose.

Am I wrong? any idea how to do that?

Please do not say use Acid or something else.. I'd like to know if we

can

get these info straight from Snort. At first.


        kill -USR1 <snort_pid>

Will dump them into syslog.

Cheers!

-----
Erek Adams

  "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.NET email is sponsored by: eBay
Great deals on office technology -- on eBay now! Click here:
http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This SF.Net email is sponsored by: INetU
Attention Web Developers & Consultants: Become An INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=ort-users





-------------------------------------------------------
This SF.Net email is sponsored by: INetU
Attention Web Developers & Consultants: Become An INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

statistics that Snort can do Francesco (Jun 16)
- Re: statistics that Snort can do Brian (Jun 16)
- Re: statistics that Snort can do Erek Adams (Jun 16)
- <Possible follow-ups>
- RE: statistics that Snort can do Kreimendahl, Chad J (Jun 16)
  - Re: statistics that Snort can do Terence Runge (Jun 17)