[Snort-users] statistics that Snort can do

Terence Runge terencerunge at ...9090...
Tue Jun 17 00:14:24 EDT 2003


I had this saved with an older config, written orignally by Sandro 
Poppi. I haven't tried this since 1.8.x, but it's worth a look.

#!/bin/bash
# Script to generate and extract snort statistics from syslog or given file
# generated after kill -USR1 <snort-pid>
#
# This script assumes that the pid is logged into the logfile!
# This can be obtained using  the following line in snort.conf:
# output alert_syslog: LOG_AUTH LOG_ALERT LOG_PID
#
# (c) Sandro Poppi 2001
# Released under GPL

echo "Starting gathering snort internal statistics. Please be patient..."

if [ "$1." == "." -o ! -e "$1" ] ; then
  # no or unexistent file given, using default
  log_file="/var/log/messages"

else
  # when using non-standard logfile location make sure snort uses this 
logfile
  # when sending signal USR1 else this script won't work!
  log_file="$1"
fi

# find out snort pids
snort_pid=`/sbin/pidof snort`

# get internal statistics for all snort processes
# not using killall to get already sorted output
for i in `echo $snort_pid` ; do
  kill -USR1 $i
 
  # sleep for 2 secs to let snort time to send statistics to syslog ;)
  sleep 2
done
 
# immediately restart snort after sending signal USR1
# this may be ommitted when using CVS version of snort after about 
01.11.2001
# or any version from 1.8.2 or higher
/etc/rc.d/init.d/snortd restart

for i in `echo $snort_pid` ; do
  # process logfile

  filename=/var/log/snort/archive/snort.`date "+%Y-%m-%d"`.$i.log
   
  # check for existing file and rename it if existing
  if [ -e "$filename" ] ; then
    mv "$filename" "$filename.bak"
  fi
 
  egrep "snort\[$i\]:" $log_file > "$filename"
 
  # check if there are dropped packets using lines like
  # Oct 22 18:02:06 xbgh17183 snort[573]: dropping 0(0.000%) packets
  if [ "`egrep "dropping" $filename | awk -F "[ (]" '{ print $7 }'`" != 
"0" -a \
       "`egrep -c "dropping" $filename`" != "0" ] ; then
    echo "Snort's dropping packets!!! Take a look on the configuration 
and/or the system's performance!!!"
  fi
 
done

echo "Gathering snort internal statistics finished..."

Kreimendahl, Chad J wrote:

>of note...
>you appear to only be able to -USR1 a snort 1 time... it dies the second
>time you -USR1 it.  (my experience... on solaris...)
>
>There's also a semi-undocumented way to dump stats (perfstats) at
>selected intervals... I believe there is info in the snort.conf file
>about this.
>
>-----Original Message-----
>From: Erek Adams [mailto:erek at ...950...] 
>Sent: Monday, June 16, 2003 2:34 PM
>To: Francesco
>Cc: snort-users at lists.sourceforge.net
>Subject: Re: [Snort-users] statistics that Snort can do
>
>
>On Mon, 16 Jun 2003, Francesco wrote:
>
>  
>
>>If and when you exit Snort, you can get a statistics report of some
>>significance.
>>The point is you only get them (including the package drop rate) when
>>    
>>
>you
>  
>
>>exit !
>>
>>I suppose it would be good the user could monitor these data anytime.
>>I looked at the command line but I find no option available for this
>>    
>>
>purpose.
>  
>
>>Am I wrong? any idea how to do that?
>>
>>Please do not say use Acid or something else.. I'd like to know if we
>>    
>>
>can
>  
>
>>get these info straight from Snort. At first.
>>    
>>
>
>	kill -USR1 <snort_pid>
>
>Will dump them into syslog.
>
>Cheers!
>
>-----
>Erek Adams
>
>   "When things get weird, the weird turn pro."   H.S. Thompson
>
>
>-------------------------------------------------------
>This SF.NET email is sponsored by: eBay
>Great deals on office technology -- on eBay now! Click here:
>http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>-------------------------------------------------------
>This SF.Net email is sponsored by: INetU
>Attention Web Developers & Consultants: Become An INetU Hosting Partner.
>Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
>INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=ort-users
>
>  
>






More information about the Snort-users mailing list