[Snort-devel] Snort preprocessor to log flows

fhmiv at ...512... fhmiv at ...512...
Wed Oct 17 11:55:14 EDT 2001


Hi all,

After looking around for a while and not being able to find anything 
that already does what I need in the open source world, I decided it 
would be pretty easy to implement as a preprocessor for Snort.

My requirement was for a network traffic flow summarizer. I needed to 
summarize by time interval, server, client, port and protocol, how much 
traffic passed between each pair of hosts. It is similar to the various 
stream plugins, but is much lazier.

First of all, it tracks by server ip, client ip, server port, protocol. 
Not tracking by client port greatly reduces the number of flows it needs 
to track so it is pretty fast.

For each packet, it designates 'client' and 'server' from the source and 
destination according to which one has the lower port number.  This way, 
for example, if one client hits a certain web server with 100 individual 
requests during an interval, it only produces one flow, which aggregates 
the stats of all the requests.

Basic stats on each flow are kept per interval: min packet payload, max 
packet payload,  total payload & packet count 'up' (from client to 
server), and total payload & packet count 'down' (from server to client).

Currently, it outputs XML to a plain text log file. I would like 
suggestions for leveraging the current output system, but since I'm 
tracking stats rather than packet/event logs or alerts, the generic 
snort output system doesn't quite fit.

I don't have write access to the CVS tree so of course I can't check it 
in. Is there any interest in including this in the Snort? I would be 
happy to write a README for it, and to put a little more effort into 
configuration options, such as where does the output go.

Cheers,

Frank





More information about the Snort-devel mailing list