[Snort-users] Snort packet stats

BShinn at ...4086... BShinn at ...4086...
Thu May 16 21:51:02 EDT 2002


I set up swatch to run with the following command:

swatch -c /usr/local/swatch/swatch.snort -t /var/log/messages 

the contents of the swatch.snort config file look like this:

/Snort analyzed/                        echo
/The kernel dropped/                    echo

Sending kill -10 to snort yield the first two lines of the stats to swatch:

May 16 23:43:55 yourhost snort: Snort analyzed 4955 out of 4956 packets,
May 16 23:43:55 yourhost snort: The kernel dropped 0(0.000%) packets

I suppose you could echo them anywhere... in fact, since swatch allows you
to run almost anything based on particular content, I am sure you could pass
the data into MRTG, NetSaint, or MySQL..but clearly something more crafty
than echoing to the console.

I had to edit swatch.pl to change the default location of tail to match
mine.

This is not really off-topic since performance of the sensors is everything.
I am going to go back through the listserv (since I know this is not a new
topic) and try to find all the methods people are using to gather this info.
I need to justify faster sensors or more span sessions somehow.

Bill



-----Original Message-----
From: Ed McMan [mailto:edmcman at ...2893...] 
Sent: Thursday, May 16, 2002 10:48 PM
To: BShinn at ...4086...; bthaler at ...2720...;
snort-users at lists.sourceforge.net
Subject: Re: [despammed] RE: [Snort-users] Offtopic - Snort packet stats

Why not killall -10 snort
?
-------------------------------------------------------------
|Eddie J Schwartz <EdMcMan at ...2893...> http://www.m00.net|
|   AIM: The Cypher ICQ: 35576339 YHOO: edmcman2 MSN: ^^    |
| "We Trills have an expression--at forty, you think you    |
| know everything.  At four hundred, you realize you know   |
|         nothing." - Dax, Star Trek Deep Space 9           |
-------------------------------------------------------------
----- Original Message -----
From: <BShinn at ...4086...>
To: <bthaler at ...2720...>; <snort-users at lists.sourceforge.net>
Sent: Thursday, May 16, 2002 10:37 PM
Subject: [despammed] RE: [Snort-users] Offtopic - Snort packet stats


> Sending SIGUSER1 to snort will dump the stats to syslog while the program
> continues to run.
>
> While I am still learning how to do this...
>
> If one were to write a script that grabs the pid from snort, either from a
> pid file or from a grep of ps -A , then send kill -10 to that pid, snort
> will dump the running stats to syslog (/var/log/messages on my RH 7.2)....
>
> I also tried piping the output to a file as you did, but since it always
> dumps it to the syslog, not the terminal, I am thinking I need to parse
that
> some how.
>
> -----Original Message-----
> From: bthaler at ...2720... [mailto:bthaler at ...2720...]
> Sent: Thursday, May 16, 2002 3:30 PM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Offtopic - Snort packet stats
>
> Sorry if this is a bit off topic, but:
>
> I'm using kill -30 on my OBSD-3.0 system to view the packet stats that
snort
> generates.  I would like take this output and mail it to an email address,
> but I'm having no luck.  Here is what I have tried so far:
>
> kill -30 xxxx | mail -s "Snort Packet Stats" email at ...5892...
> kill -30 xxxx > snortstat.txt
> kill -30 xxxx | tee snortstat.txt
>
> Funny thing is, these work fine for sending other commands to a file or
> such, but not "kill" for some reason.





More information about the Snort-users mailing list