[Snort-devel] Snort IP Flow monitoring - Patch for writing to a file

Todd Wease twease at ...402...
Wed Dec 5 09:28:17 EST 2012


On Wed, Dec 5, 2012 at 12:14 AM, Dheeraj Gupta <dheeraj.gupta4 at ...2499...>wrote:

> Hi,
> I am using Snort-2.9.3.1. I tried to enable ip-flow monitoring with the
> write to file option using the configuration
> preprocessor perfmonitor: time 300 file /var/log/snort/snort.stats pktcnt
> 1000 max_file_size 100000 flow-ip flow-ip-file /var/log/snort/ipflow.csv
> flow-ip-memcap 10000000000 time 300
>
> It worked but there was a slight problem - The IP flow statistics were
> computed, but written to the file only at the end of snort execution (At
> Snort exit). Upon inspection of the source code, the file
> src/preprocessors/perf-flow.c did not have an fflush() call in the
> definition of the function 'static int WriteFlowIPStats(SFFLOW *sfFlow,
> FILE *fp)'. I added an fflush(fp) at line 774 and recompiled snort. The
> flow IP monitoring is now working fine (Output is correctly flushed to a
> file at end of specified interval). I have enclosed a patch with this mail
> which can be applied using
> $ cd snort-2.9.3.1
> Once you are inside the extracted snort folder
> $ patch -p5 < snort_ip_flow.patch
>
> I hope subsequent versions of snort will resolve this issue.
>
> Regards,
> Dheeraj
>

Dheeraj,

Thanks for the patch.  However, this has already been identified and fixed
and will be available in an upcoming snort release.

Todd
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20121205/23234af9/attachment.html>


More information about the Snort-devel mailing list