[Snort-users] Broken Kill USR1 Statistics

Bill Parker dogbert at ...11664...
Thu Aug 24 10:26:45 EDT 2006


----- Original Message ----- 
From: "Colin Grady" <colin.grady at ...11827...>
To: <snort-users at lists.sourceforge.net>
Sent: Thursday, August 24, 2006 6:59 AM
Subject: [Snort-users] Broken Kill USR1 Statistics


> I've been trying to gather some statistics from the Snort process by
> sending the USR1 kill signal, but I'm seeing some weird behavior. This
> is Snort 2.6.0.1.
>
> First time using kill -USR1:
> Aug 24 08:51:32 Sensor snort[24795]: *** Caught Usr-Signal
> Aug 24 08:51:32 Sensor snort[24795]: Snort received 7294740 packets
> Aug 24 08:51:32 Sensor snort[24795]:     Analyzed: 5628802(77.162%)
> Aug 24 08:51:32 Sensor snort[24795]:     Dropped: 1665920(22.837%)
> Aug 24 08:51:32 Sensor snort[24795]:     Outstanding: 18(0.000%)
>
> Second time using kill -USR1:
> Aug 24 08:51:40 Sensor snort[24795]: *** Caught Usr-Signal
> Aug 24 08:51:40 Sensor snort[24795]: Snort received 200871 packets
> Aug 24 08:51:40 Sensor snort[24795]:     Analyzed: 5829688(2902.205%)
> Aug 24 08:51:40 Sensor snort[24795]:     Dropped: 0(0.000%)
> Aug 24 08:51:40 Sensor snort[24795]:     Outstanding:
4289338479(2135369.750%)
>

Strange, but if the snort team included the configure
command --enable-timestats
in 2.6.x (it's in 2.4.x), snort should produce statistics every 60 minutes
to where
you are normally logging snort stuff (usually /var/log/messages).

This works without having to use KILL -USR1 (which is why I wrote the code
in the first place) <shameless plug inserted here> :-)

Bill






More information about the Snort-users mailing list