[Snort-users] Snort Statistics on Shutdown

Martin Roesch roesch at ...1935...
Thu Aug 5 11:12:04 EDT 2004


The only way it can be talking to stdout is if the daemon_flag isn't 
getting set and since you're going into daemon mode that can't be it.  
You aren't using the -q switch are you?

      -Marty

void LogMessage(const char *format,...)
{
     char buf[STD_BUF+1];
     va_list ap;

     if(pv.quiet_flag && !pv.daemon_flag)
         return;

     va_start(ap, format);

     if(pv.daemon_flag)
     {
         vsnprintf(buf, STD_BUF, format, ap);
         syslog(LOG_DAEMON | LOG_NOTICE, "%s", buf);
     }
     else
     {
         vfprintf(stderr, format, ap);
     }
     va_end(ap);
}


On Aug 5, 2004, at 11:31 AM, sekure wrote:

> I think what happens is that Snort dumps those stats to stdout, at
> least that has been my experience.  So if Snort is running in daemon
> mode when its killed, you don't get the stats in you syslog.
>
> On Thu, 5 Aug 2004 11:05:54 -0400, Martin Roesch 
> <roesch at ...1935...> wrote:
>> Hi Bill,
>>
>> I just checked the code and the DropStats() function is calling
>> LogMessage() to output its info so they should be somewhere in your
>> syslog files.  You aren't reading a pcap file in daemon mode, are you?
>>
>>      -Marty
>>
>>
>>
>> On Aug 4, 2004, at 11:59 PM, Bill Parker wrote:
>>
>>> Ok, now that I have the pig at version 2.1.3, I was curious about
>>> another thing.  I run snort in daemon mode and
>>> start/stop it with the init script provided (no problems at all), but
>>> I was under the impression that snort when it
>>> shuts down, should generate some stats as to how many packets were
>>> processed, etc.  I see the snort startup
>>> in /var/log/messages, should I not see stuff in there when it shuts
>>> down?
>>>
>>> Bill
>>>
>> --
>> Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
>> Sourcefire: Intelligent Security Monitoring
>> roesch at ...1935... - http://www.sourcefire.com
>> Snort: Open Source Network IDS - http://www.snort.org
>>
>> -------------------------------------------------------
>> This SF.Net email is sponsored by OSTG. Have you noticed the changes 
>> on
>> Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now,
>> one more big change to announce. We are now OSTG- Open Source 
>> Technology
>> Group. Come see the changes on the new OSTG site. www.ostg.com
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>
>
-- 
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Intelligent Security Monitoring
roesch at ...1935... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org





More information about the Snort-users mailing list