[Snort-users] Get reliable SnortSP drop statistics
loic.etienne at ...7615...
Wed May 13 08:52:31 EDT 2009
I'm currently running snortsp beta 3 on a link with very high traffic
(500-600mbits/s) and I have noticed something strange concerning the
packet drop statistics.
We currently run the perfmonitor preprocessor with the following config:
preprocessor perfmonitor: time 600 file
/opt/snort/log/current/snort.stats pktcnt 100000
When looking at its output, it always report 0.000 packet drop ratio
However, when I query directly the snortsp engine with eng.stats("e1")
in the LUA shell for example, I get the following:
[*] ACTIVE data source s1 received 153960354 packets on eth2
Analyzed: 70274715 (45.645%)
Dropped: 83685639 (54.355%)
Idle Cycles: 70274660
[-] Ethernet Stats:
Do you see any reason why these two methods would report different
numbers? Is the preprocessor printing another drop ratio than the engine?
Also, we have another snort instance running on a production server
(deamon mode), and we would like to check the output of the eng.stats()
command. According to the documentation, it is possible to use the
snortsp_tool to interface directly with snortsp through a kernel socket.
It works fine to issue commands to snort, but we are unable to redirect
it's output back to us. There is not much documentation on snortsp_tool
out there, so maybe there is an easy way to do that?
Thanks in advance for your expertise !
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users