[Snort-users] Snort Statistics on Shutdown

sekure sekure at ...11827...
Thu Aug 5 11:33:07 EDT 2004


snort -dvezoDi eth1 -c snort.conf -l logdir

I see the startup messages in /var/log/messages, but when i kill snort
(usually just a regular "kill snort_pid"), no final statistics get
sent to /var/log/messages.

I found this though in the snort-users archive:
http://marc.theaimsgroup.com/?l=snort-users&m=106901892101318&w=2
and
http://www.pantek.com/library/general/lists/snort.org/snort-devel/msg00522.html

Maybe it somehow never got merged back in....

Just so I am clear, we are talking about this type of output:

============================================================
Snort received 737 packets
    Analyzed: 736(99.864%)
    Dropped: 1(0.136%)
============================================================Breakdown
by protocol:
    TCP: 147        (19.946%)
    UDP: 0          (0.000%)
   ICMP: 0          (0.000%)
    ARP: 0          (0.000%)
  EAPOL: 0          (0.000%)
   IPv6: 0          (0.000%)
    IPX: 0          (0.000%)
  OTHER: 0          (0.000%)
DISCARD: 0          (0.000%)
============================================================
Action Stats:
ALERTS: 0
LOGGED: 0
PASSED: 0
============================================================


On Thu, 5 Aug 2004 14:11:18 -0400, Martin Roesch <roesch at ...1935...> wrote:
> The only way it can be talking to stdout is if the daemon_flag isn't
> getting set and since you're going into daemon mode that can't be it.
> You aren't using the -q switch are you?
> 
>      -Marty
> 
> void LogMessage(const char *format,...)
> {
>     char buf[STD_BUF+1];
>     va_list ap;
> 
>     if(pv.quiet_flag && !pv.daemon_flag)
>         return;
> 
>     va_start(ap, format);
> 
>     if(pv.daemon_flag)
>     {
>         vsnprintf(buf, STD_BUF, format, ap);
>         syslog(LOG_DAEMON | LOG_NOTICE, "%s", buf);
>     }
>     else
>     {
>         vfprintf(stderr, format, ap);
>     }
>     va_end(ap);
> 
> 
> }
> 
> On Aug 5, 2004, at 11:31 AM, sekure wrote:
> 
> > I think what happens is that Snort dumps those stats to stdout, at
> > least that has been my experience.  So if Snort is running in daemon
> > mode when its killed, you don't get the stats in you syslog.
> >
> > On Thu, 5 Aug 2004 11:05:54 -0400, Martin Roesch
> > <roesch at ...1935...> wrote:
> >> Hi Bill,
> >>
> >> I just checked the code and the DropStats() function is calling
> >> LogMessage() to output its info so they should be somewhere in your
> >> syslog files.  You aren't reading a pcap file in daemon mode, are you?
> >>
> >>      -Marty
> >>
> >>
> >>
> >> On Aug 4, 2004, at 11:59 PM, Bill Parker wrote:
> >>
> >>> Ok, now that I have the pig at version 2.1.3, I was curious about
> >>> another thing.  I run snort in daemon mode and
> >>> start/stop it with the init script provided (no problems at all), but
> >>> I was under the impression that snort when it
> >>> shuts down, should generate some stats as to how many packets were
> >>> processed, etc.  I see the snort startup
> >>> in /var/log/messages, should I not see stuff in there when it shuts
> >>> down?
> >>>
> >>> Bill
> >>>
> >> --
> >> Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
> >> Sourcefire: Intelligent Security Monitoring
> >> roesch at ...1935... - http://www.sourcefire.com
> >> Snort: Open Source Network IDS - http://www.snort.org
> >>
> >> -------------------------------------------------------
> >> This SF.Net email is sponsored by OSTG. Have you noticed the changes
> >> on
> >> Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now,
> >> one more big change to announce. We are now OSTG- Open Source
> >> Technology
> >> Group. Come see the changes on the new OSTG site. www.ostg.com
> >> _______________________________________________
> >> Snort-users mailing list
> >> Snort-users at lists.sourceforge.net
> >> Go to this URL to change user options or unsubscribe:
> >> https://lists.sourceforge.net/lists/listinfo/snort-users
> >> Snort-users list archive:
> >> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >>
> >
> >
> --
> Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
> Sourcefire: Intelligent Security Monitoring
> roesch at ...1935... - http://www.sourcefire.com
> Snort: Open Source Network IDS - http://www.snort.org
> 
>




More information about the Snort-users mailing list