[Snort-users] Get reliable SnortSP drop statistics
rcombs at ...1935...
Wed May 13 12:05:16 EDT 2009
On both issues, that is how SnortSP works at present ...
The drop count is maintained on the engine side and doesn't get reported by
the Snort analytic, which always reports zero. Depending on how SnortSP is
configured, eg with multiple load-balanced Snort analytics, it really
doesn't make sense for the analytics to output drop counts. That may be
removed in the future but was left in for overall compatibility.
Also, when using the tool to control SnortSP via socket, the responses are
not yet routed back over the socket, but instead go to syslog or whatever as
configured. That is work still to be done.
Thanks for pointing these issues out. I'll try to get those into the README
before the next release.
On Wed, May 13, 2009 at 8:52 AM, Loïc Etienne <loic.etienne at ...7615...> wrote:
> Hello guys,
> I'm currently running snortsp beta 3 on a link with very high traffic
> (500-600mbits/s) and I have noticed something strange concerning the packet
> drop statistics.
> We currently run the perfmonitor preprocessor with the following config:
> preprocessor perfmonitor: time 600 file /opt/snort/log/current/snort.stats
> pktcnt 100000
> When looking at its output, it always report 0.000 packet drop ratio
> However, when I query directly the snortsp engine with eng.stats("e1") in
> the LUA shell for example, I get the following:
> [*] ACTIVE data source s1 received 153960354 packets on eth2
> Analyzed: 70274715 (45.645%)
> Dropped: 83685639 (54.355%)
> Idle Cycles: 70274660
> [-] Ethernet Stats:
> Count: 70304420
> Do you see any reason why these two methods would report different numbers?
> Is the preprocessor printing another drop ratio than the engine?
> Also, we have another snort instance running on a production server (deamon
> mode), and we would like to check the output of the eng.stats() command.
> According to the documentation, it is possible to use the snortsp_tool to
> interface directly with snortsp through a kernel socket. It works fine to
> issue commands to snort, but we are unable to redirect it's output back to
> us. There is not much documentation on snortsp_tool out there, so maybe
> there is an easy way to do that?
> Thanks in advance for your expertise !
> Loïc Etienne
> The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
> production scanning environment may not be a perfect world - but thanks to
> Kodak, there's a perfect scanner to get the job done! With the NEW KODAK
> Series Scanner you'll get full speed at 300 dpi even with all image
> processing features enabled. http://p.sf.net/sfu/kodak-com
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list archive:
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users