[Snort-devel] Snort IP Flow monitoring - Patch for writing to a file
twease at ...402...
Wed Dec 5 09:28:17 EST 2012
On Wed, Dec 5, 2012 at 12:14 AM, Dheeraj Gupta <dheeraj.gupta4 at ...2499...>wrote:
> I am using Snort-188.8.131.52. I tried to enable ip-flow monitoring with the
> write to file option using the configuration
> preprocessor perfmonitor: time 300 file /var/log/snort/snort.stats pktcnt
> 1000 max_file_size 100000 flow-ip flow-ip-file /var/log/snort/ipflow.csv
> flow-ip-memcap 10000000000 time 300
> It worked but there was a slight problem - The IP flow statistics were
> computed, but written to the file only at the end of snort execution (At
> Snort exit). Upon inspection of the source code, the file
> src/preprocessors/perf-flow.c did not have an fflush() call in the
> definition of the function 'static int WriteFlowIPStats(SFFLOW *sfFlow,
> FILE *fp)'. I added an fflush(fp) at line 774 and recompiled snort. The
> flow IP monitoring is now working fine (Output is correctly flushed to a
> file at end of specified interval). I have enclosed a patch with this mail
> which can be applied using
> $ cd snort-184.108.40.206
> Once you are inside the extracted snort folder
> $ patch -p5 < snort_ip_flow.patch
> I hope subsequent versions of snort will resolve this issue.
Thanks for the patch. However, this has already been identified and fixed
and will be available in an upcoming snort release.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-devel