[Snort-devel] Snort IP Flow monitoring - Patch for writing to a file

Dheeraj Gupta dheeraj.gupta4 at ...2499...
Wed Dec 5 00:14:01 EST 2012


Hi,
I am using Snort-2.9.3.1. I tried to enable ip-flow monitoring with the
write to file option using the configuration
preprocessor perfmonitor: time 300 file /var/log/snort/snort.stats pktcnt
1000 max_file_size 100000 flow-ip flow-ip-file /var/log/snort/ipflow.csv
flow-ip-memcap 10000000000 time 300

It worked but there was a slight problem - The IP flow statistics were
computed, but written to the file only at the end of snort execution (At
Snort exit). Upon inspection of the source code, the file
src/preprocessors/perf-flow.c did not have an fflush() call in the
definition of the function 'static int WriteFlowIPStats(SFFLOW *sfFlow,
FILE *fp)'. I added an fflush(fp) at line 774 and recompiled snort. The
flow IP monitoring is now working fine (Output is correctly flushed to a
file at end of specified interval). I have enclosed a patch with this mail
which can be applied using
$ cd snort-2.9.3.1
Once you are inside the extracted snort folder
$ patch -p5 < snort_ip_flow.patch

I hope subsequent versions of snort will resolve this issue.

Regards,
Dheeraj
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20121205/b31d336a/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: snort_ip_flow.patch
Type: application/octet-stream
Size: 451 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20121205/b31d336a/attachment.obj>


More information about the Snort-devel mailing list