[Snort-devel] Snort init script `stats` function

Peter Gallagher gallagher.peter at gmail.com
Wed Aug 23 07:41:32 EDT 2017

Thinking about this further, there is a possibility that additional logs
could be interspersed between the snort output in the syslog. So it would
be prudent to increase the number of lines returned to be >147 in order to
mitigate against this (e.g. 200), this should allows us to capture all 148
lines of snort output.



On 23 August 2017 at 12:31, Peter Gallagher <gallagher.peter at gmail.com>

> The current `stats` function in the init.d script has been very unreliable
> for me, due to variations in the `startdate` variable recorded in the
> script and the timestamp when the log lines are actually written by snort.
> Accordingly I have modified my init script to use the following:
>     tac /var/log/messages | grep -m1 '*** Caught Dump Stats-Signal' -B147
> | tac | grep snort.*: | cut -d: -f4-
> This example of the basic `stats` function does the following:
> 1. Uses `tac` to reverse the order of `$SYSLOG`
> 2. Greps for the first occurrence of the snort stats start signature and
> includes an additional 147 lines of output
> 3. Reverses the order (again using `tac`) to return it to normal order
> 4. Filters out any non-snort lines
> I think this is a more reliable approach. The only risk is if the stats
> aren't dumped correctly it could return an earlier collection of
> statistics, however I feel this is highly unlikely.
> I looked for a public repository to provide a diff or pull request but
> could not find any.
> Please let me know if you think this is suitable for inclusion for future
> releases.
> Regards,
> Peter
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20170823/54fbf4e4/attachment.html>

More information about the Snort-devel mailing list