[Snort-users] Performance Monitor Graphing Tool

Jason Wallace jason.r.wallace at ...11827...
Fri Sep 3 12:31:12 EDT 2010


> I think a snort-specific tool is the wrong way to do this.

Yes and No...

If you do not have a snort specific tool then each monitoring system
needs to have it's own tool/agent or you need to roll your own, and so
far that has not worked out very well. Also, people then do not have a
single point of reference to turn to if they have problems. Instead
they have to look for help from people using snort in combination with
their monitoring tool. That reduces their support base. It is pretty
frustrating to post a snort related question to another projects
forum/mailing list and get 15 "sorry I'm not using snort" reply and
one "it is working great on my snort 2.4.1 box" reply.

That said, the problem with a snort specific tool is that folks begin
to rely heavily on these tools, but these things have a bad habit of
falling to the wayside as developers move on to other things like has
happened with barnyard1, pmgraph, oinkmaster, ACID... and so on.
Alternatives/forks tend to come along to replace dead projects, but
there is usually a long painful period of time between the old and
new, and that pain is amplified the more sensors you have.

There are a ton of open-source and commercial monitoring software...

http://en.wikipedia.org/wiki/Comparison_of_network_monitoring_systems

But the one thing that 99% of them have in common is... the ability to
collect SNMP data. And most of them support alerting on SNMP data via
traps or some other built-in alerting function. If you truly want a
system agnostic and universal method of collecting snort performance
data, then snort needs to have the option to be built with SNMP
support and a snort MIB needs to be created.

I would much rather see upstream development cycles spent on
integrated SNMP support, that would universally bring value to both
the open-source project and the commercial product, than on a one off
snort specific tool that could be here today, gone tomorrow.

Wally



On Fri, Sep 3, 2010 at 9:54 AM, Mike Lococo <mikelococo at ...11827...> wrote:
> On 09/02/2010 02:46 PM, Greg Lane wrote:
>> Does anybody had a good location to obtain a good perfmonitor graph tool
>> for snort?  Every link that I have tried doesn’t seem to work and
>> nothing is available.
>
> I think a snort-specific tool is the wrong way to do this.  You have
> interesting trendable data all over the place, and for a (relatively)
> small amount of additional effort you cam deploy a general purpose tool
> instead.  The big open-source players in the space are:
>
> 1) Nagios + some graphing framework: Huge user-base and module-list, but
> no integrated graphing and probably the worst learning curve.
> 2) Zabbix: This is what I use.  It's not perfect, was very easy to set
> up, has excellent integrated graphing, and can collect almost any kind
> of data with very little configuration (snmp, agent with support for
> custom monitoring items, and various server-side pings).
> 3) Zenoss: I haven't used, but I gather it's quite flexible and fairly
> easy to use.
>
> There are lots of other tools, but these are the three that ended up on
> my short-list due to flexibility and robustness. They can all collect
> data in a variety of ways, can collect custom-data that you define, can
> graph the data (or have well-documented howtos on integrating with
> external graphic packages), and allow you do define criteria for events
> and notifications.  They can also all scale from a few boxes to many
> many thousands (I started running Zabbix when I had about a dozen boxes
> and the effort/reward tradeoff was immediately beneficial).
>
> With my Zabbix setup, I have a single screen that shows the following
> data for all my snort sensors:
>
>  * Bandwidth at my taps (snmp)
>  * Bandwidth to my snort processses (agent custom item)
>  * Received/dropped packets for snort (agent custom item)
>  * stream/frag stats (agent custom item)
>  * CPU usage of various types (agent build-in item)
>  * RAM usage of various types (agent build-in item)
>  * Disk I/O activity in bytes and in iops (agent build-in item)
>  * Free disk space (agent build-in item)
>  * A list of the top-5 process-names that are using CPU-time (I
>    can't wait for iotop to work on RHEL so I can get this list
>    for io-consumers as well, this is an agent custom item).
>  * Other stuff I can't remember
>
> Since I set this up, I haven't run into a performance anomaly that I
> couldn't troubleshoot promptly.  Regardless of whether I observe the
> event in real-time, I have all the data I need to do evidence-based
> troubleshooting.  Snort-specific tools get you less than half-way there
> because there are so many potential failure points outside the snort
> process.
>
> I already outlined how I pull the snort perfmon data into zabbix a few
> days ago in a thread titled "A few questions about Solaris", it's quite
> straightforward.
>
> Cheers,
> Mike Lococo
>
> ------------------------------------------------------------------------------
> This SF.net Dev2Dev email is sponsored by:
>
> Show off your parallel programming skills.
> Enter the Intel(R) Threading Challenge 2010.
> http://p.sf.net/sfu/intel-thread-sfd
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-users mailing list