[Snort-devel] Snort init script `stats` function

Bill Parker wp02855 at gmail.com
Wed Aug 23 13:04:47 EDT 2017


FYI,

    Syslog can rate limit information on snort startup and shutdown as
referenced in this document:

https://s3.amazonaws.com/snort-org-site/production/document_files/files/000/000/025/original/snort-rate-limiting-rev1.pdf?AWSAccessKeyId=AKIAIXACIED2SPMSC7GA&Expires=1503511439&Signature=nsnXimFvlZp%2Bm0XqdekPUaSyMDw%3D

or

https://www.snort.org/documents (under deployment guides).

Bill

On Wed, Aug 23, 2017 at 4:41 AM, Peter Gallagher via Snort-devel <
snort-devel at lists.snort.org> wrote:

> Thinking about this further, there is a possibility that additional logs
> could be interspersed between the snort output in the syslog. So it would
> be prudent to increase the number of lines returned to be >147 in order to
> mitigate against this (e.g. 200), this should allows us to capture all 148
> lines of snort output.
>
> Regards,
>
> Peter
>
> On 23 August 2017 at 12:31, Peter Gallagher <gallagher.peter at gmail.com>
> wrote:
>
>> The current `stats` function in the init.d script has been very
>> unreliable for me, due to variations in the `startdate` variable recorded
>> in the script and the timestamp when the log lines are actually written by
>> snort.
>>
>> Accordingly I have modified my init script to use the following:
>>
>>     tac /var/log/messages | grep -m1 '*** Caught Dump Stats-Signal' -B147
>> | tac | grep snort.*: | cut -d: -f4-
>>
>> This example of the basic `stats` function does the following:
>>
>> 1. Uses `tac` to reverse the order of `$SYSLOG`
>> 2. Greps for the first occurrence of the snort stats start signature and
>> includes an additional 147 lines of output
>> 3. Reverses the order (again using `tac`) to return it to normal order
>> 4. Filters out any non-snort lines
>>
>> I think this is a more reliable approach. The only risk is if the stats
>> aren't dumped correctly it could return an earlier collection of
>> statistics, however I feel this is highly unlikely.
>>
>> I looked for a public repository to provide a diff or pull request but
>> could not find any.
>>
>> Please let me know if you think this is suitable for inclusion for future
>> releases.
>>
>> Regards,
>>
>> Peter
>>
>
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.snort.org
> https://lists.snort.org/mailman/listinfo/snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20170823/dfb0da3b/attachment.html>


More information about the Snort-devel mailing list