[Snort-users] preprocessor perfmonitor fields
alejandrorflores at ...11827...
Thu Mar 17 03:24:09 EST 2005
> I'm outputting perfmonitor to a file and I can't see any documentation as to
> what fields are what. Since it is to a file, the manual just says that not
> all fields are recorded (from the bulleted list above).
Excerpt from snort-2.3.0/src/preprocessors/perf-base.c:676
* Log Base Per Stats to File for Use by the MC
* unixtime(in secs since epoch)
* %pkts dropped
* Avg Bytes/Pkt
* %bytes pattern matched
* total-sessions open
* %user-cpu usage
* %sys-cpu usage
* %idle-cpu usage
> As per development, maybe the first field could simply be comma delimited
> field names, depending on the options set in snort.conf? I wouldn't mind
> sorting through a few of these if it outputted did this every time the
> service starts...but for now, is there a way I can tell what the values
You can't customize what will be outputed.
> btw, I'm using windows and Snort running as-is (no ACID, BASE, etc), so I'm
> not sure what console output would do...
As you're running on windows, running snort as a service, you can't
see the console output. If you run snort from a dos window, you'll se
the console output.
Log to mysql if you want to have a way to analise those alerts, and
use BASE to analise them.
More information about the Snort-users