[Snort-devel] Snort preprocessor to log flows

Chris Green cmg at ...81...
Wed Oct 17 13:06:23 EDT 2001


fhmiv at ...512... writes:

> Hi all,
>
> After looking around for a while and not being able to find anything
> that already does what I need in the open source world, I decided it
> would be pretty easy to implement as a preprocessor for Snort.
>
> My requirement was for a network traffic flow summarizer. I needed to
> summarize by time interval, server, client, port and protocol, how
> much traffic passed between each pair of hosts. It is similar to the
> various stream plugins, but is much lazier.

similar to ipaudit? http://ipaudit.sourceforge.net

I think stream4 is doing stats somewhat similar these days too

>
> First of all, it tracks by server ip, client ip, server port,
> protocol. Not tracking by client port greatly reduces the number of
> flows it needs to track so it is pretty fast.
>

[snip]

> Currently, it outputs XML to a plain text log file. I would like
> suggestions for leveraging the current output system, but since I'm
> tracking stats rather than packet/event logs or alerts, the generic
> snort output system doesn't quite fit.
>
> I don't have write access to the CVS tree so of course I can't check
> it in. Is there any interest in including this in the Snort? I would
> be happy to write a README for it, and to put a little more effort
> into configuration options, such as where does the output go.

Post the source somewhere and I'll take a look at it ( though that
doesn't get you any closer to a CVS check in ) but I do find these
type of programs interesting ( almost wrote one until ipaudit came
along ).
-- 
Chris Green <cmg at ...81...>
To err is human, to moo bovine.




More information about the Snort-devel mailing list