[Snort-users] Get reliable SnortSP drop statistics

Loïc Etienne loic.etienne at ...7615...
Wed May 13 08:52:31 EDT 2009


Hello guys,

I'm currently running snortsp beta 3 on a link with very high traffic 
(500-600mbits/s) and I have noticed something strange concerning the 
packet drop statistics.

We currently run the perfmonitor preprocessor with the following config:
preprocessor perfmonitor: time 600 file 
/opt/snort/log/current/snort.stats pktcnt 100000

When looking at its output, it always report 0.000 packet drop ratio

Examples:

    1242216008,0.000,598.942,0.005,87.934,853,68.964,556.730,526.659,906.033,295.431,3173088,3173088,144.991,0,250175,0.000,0.000,0.000,0.000,0.000,0.000,0,0,0,0,8,0.000,0.000,100.000,15.421,10.819,73.760,99.455,0.298,0.247,14.802,10.048,75.150,0.020,0.000,99.977,14.971,10.249,74.779,0.118,0.103,99.778,13.328,9.072,77.600,598.942,0.000,0.000,1.664,600.606,852,0,0,1434,853,87.790,0.000,0.000,0.145,87.934,52739772,0,0,0.000,0.000,0,0,3173088,715758,943715,1514173,233.324,87.807,416.650,0.000,0.000,0,0,0.000,0,0.000,
    (...)
    1242218389,0.000,530.755,0.000,77.491,858,74.349,505.810,483.263,928.088,177.573,450360,450360,106.160,0,153813,0.000,0.000,0.000,0.000,0.000,0.000,0,0,0,0,8,0.852,0.948,98.200,14.748,18.953,66.300,2.367,2.657,94.976,16.991,21.658,61.351,8.667,10.020,81.313,0.248,0.321,99.432,0.607,0.672,98.721,99.688,0.181,0.131,530.755,0.000,0.000,1.223,531.977,857,0,0,1439,858,77.385,0.000,0.000,0.106,77.491,46453551,0,0,0.000,0.000,0,0,450360,130207,169289,150880,283.355,50.508,256.326,0.000,0.000,0,0,0.000,0,0.000,


However, when I query directly the snortsp engine with eng.stats("e1") 
in the LUA shell for example, I get the following:

    [*] ACTIVE data source s1 received 153960354 packets on eth2
          Analyzed: 70274715 (45.645%)
           Dropped: 83685639 (54.355%)
       Idle Cycles: 70274660
    [-] Ethernet Stats:
             Count: 70304420
    (...)

Do you see any reason why these two methods would report different 
numbers? Is the preprocessor printing another drop ratio than the engine?

Also, we have another snort instance running on a production server 
(deamon mode), and we would like to check the output of the eng.stats() 
command. According to the documentation, it is possible to use the 
snortsp_tool to interface directly with snortsp through a kernel socket. 
It works fine to issue commands to snort, but we are unable to redirect 
it's output back to us. There is not much documentation on snortsp_tool 
out there, so maybe there is an easy way to do that?

Thanks in advance for your expertise !

Cheers,
Loïc Etienne


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20090513/e203632c/attachment.html>


More information about the Snort-users mailing list