[Snort-devel] Re: No stats

Martin Roesch roesch at ...402...
Thu May 15 07:25:11 EDT 2003


Which stats are missing?

      -Marty

On Thursday, May 15, 2003, at 08:56 AM, Martin Olsson wrote:

> Why have all the nice information and statistics been removed from  
> snort
> v2.0.0?
>
> When running 1.9.x in test-mode (-T), you got a lot of useful  
> information
> about the snort-configuration. In v2.0.0 you get way less information,
> which is bad.
>
> Also, when you kill the snort process, v1.9.1 logged some nice  
> statistics.
> In v2.0.0 they are all gone. This too is bad.
>
>
> Could we please have the stats back?
>
>
> v1.9.1:
> +++++++++++++++++++++++++++++++++++++++++++++++++++
> Initializing rule chains...
> No arguments to frag2 directive, setting defaults to:
>     Fragment timeout: 60 seconds
>     Fragment memory cap: 4194304 bytes
>     Fragment min_ttl:   0
>     Fragment ttl_limit: 5
>     Fragment Problems: 0
> Stream4 config:
>     Stateful inspection: ACTIVE
>     Session statistics: INACTIVE
>     Session timeout: 30 seconds
>     Session memory cap: 8388608 bytes
>     State alerts: INACTIVE
>     Evasion alerts: INACTIVE
>     Scan alerts: ACTIVE
>     Log Flushed Streams: INACTIVE
>     MinTTL: 1
>     TTL Limit: 5
>     Async Link: 0
>     State Protection: 0
>     Self preservation threshold: 0
>     Self preservation period: 0
>     Suspend threshold: 0
>     Suspend period: 0
> Stream4_reassemble config:
>     Server reassembly: ACTIVE
>     Client reassembly: ACTIVE
>     Reassembler alerts: ACTIVE
>     Ports: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 ...
> http_decode arguments:
>     Unicode decoding
>     IIS alternate Unicode decoding
>     IIS double encoding vuln
>     Flip backslash to slash
>     Include additional whitespace separators
>     Ports to decode http on: 80
> telnet_decode arguments:
>     Ports to decode telnet on: 21 23 25 119
> Conversation Config:
>    KeepStats: 0
>    Conv Count: 32000
>    Timeout   : 60
>    Alert Odd?: 0
>    Allowed IP Protocols:  All
> Portscan2 config:
>     log: /snort/log/snort.portscan
>     scanners_max: 3200
>     targets_max: 5000
>     target_limit: 25
>     port_limit: 100
>     timeout: 60
> database: compiled support for ( mysql )
> database: configured to use mysql
> database:          user = sentor
> database: password is set
> database: database name = snort
> database:          host = 10.1.2.3
> database:   sensor name = sensor-08
> database:     sensor id = 11
> database: schema version = 106
> database: using the "log" facility
> 1195 Snort rules read...
> 1195 Option Chains linked into 127 Chain Headers
> 0 Dynamic rules
> +++++++++++++++++++++++++++++++++++++++++++++++++++
> Rule application order: ->pass->activation->dynamic->alert->log->trapdb
>         --== Initialization Complete ==--
>
> v1.9.1 killed:
>  snort: Snort analyzed 668289 out of 677025 packets,
>  snort: dropping 8736(1.290%) packets
>  snort: Breakdown by protocol:                Action Stats:
>  snort:     TCP: 658135     (97.210%)         ALERTS: 15
>  snort:     UDP: 403        (0.060%)          LOGGED: 15
>  snort:    ICMP: 32         (0.005%)          PASSED: 29
>  snort:     ARP: 116        (0.017%)
>  snort:   EAPOL: 0          (0.000%)
>  snort:    IPv6: 0          (0.000%)
>  snort:     IPX: 0          (0.000%)
>  snort:   OTHER: 765        (0.113%)
>  snort: DISCARD: 0          (0.000%)
>  snort:  
> =======================================================================
>  snort: Wireless Stats:
>  snort: Breakdown by type:
>  snort:     Management Packets: 0          (0.000%)
>  snort:     Control Packets:    0          (0.000%)
>  snort:     Data Packets:       0          (0.000%)
>  snort:  
> =======================================================================
>  snort: Fragmentation Stats:
>  snort: Fragmented IP Packets: 0          (0.000%)
>  snort:     Fragment Trackers: 0
>  snort:    Rebuilt IP Packets: 0
>  snort:    Frag elements used: 0
>  snort: Discarded(incomplete): 0
>  snort:    Discarded(timeout): 0
>  snort:   Frag2 memory faults: 0
>  snort:  
> =======================================================================
>  snort: TCP Stream Reassembly Stats:
>  snort:         TCP Packets Used: 658135     (97.210%)
>  snort:          Stream Trackers: 294
>  snort:           Stream flushes: 191880
>  snort:            Segments used: 464605
>  snort:    Stream4 Memory Faults: 0
>  snort:  
> =======================================================================
>
>
>
-- 
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Snort-based Enterprise Intrusion Detection Infrastructure
roesch at ...402... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org





More information about the Snort-devel mailing list