[Snort-users] preprocessor perfmonitor fields

Alejandro Flores alejandrorflores at ...11827...
Thu Mar 17 03:24:09 EST 2005


Hey,

> I'm outputting perfmonitor to a file and I can't see any documentation as to
> what fields are what. Since it is to a file, the manual just says that not
> all fields are recorded (from the bulleted list above).

Excerpt from snort-2.3.0/src/preprocessors/perf-base.c:676
/*
 *
 *   Log Base Per Stats to File for Use by the MC
 *
 * unixtime(in secs since epoch)
 * %pkts dropped
 * mbits/sec
 * alerts/sec
 * K-Packets/Sec
 * Avg Bytes/Pkt
 * %bytes pattern matched
 * syns/sec
 * synacks/sec
 * new-sessions/sec
 * del-sessions/sec
 * total-sessions open
 * max-sessions
 * streamflushes/sec
 * streamfaults/sec
 * streamtimeouts
 * fragcompletes/sec
 * fraginserts/sec
 * fragdeletes/sec
 * fragflushes/sec
 * fragtimeouts
 * fragfaults
 * %user-cpu usage
 * %sys-cpu usage
 * %idle-cpu usage
 */


> As per development, maybe the first field could simply be comma delimited
> field names, depending on the options set in snort.conf? I wouldn't mind
> sorting through a few of these if it outputted did this every time the
> service starts...but for now, is there a way I can tell what the values
> represent?

You can't customize what will be outputed.

> btw, I'm using windows and Snort running as-is (no ACID, BASE, etc), so I'm
> not sure what console output would do...

As you're running on windows, running snort as a service, you can't
see the console output. If you run snort from a dos window, you'll se
the console output.
Log to mysql if you want to have a way to analise those alerts, and
use BASE to analise them.

Regards,
Alejandro Flores




More information about the Snort-users mailing list