[Snort-users] Snort PerfMonitor - IP-Flow behaviour

Dheeraj Gupta dheeraj.gupta4 at ...11827...
Tue Dec 4 06:56:07 EST 2012


Hi,
I am trying to use snort's perfmonitor pre-processor to find out traffic
flowing between IP pairs.
Earlier I configured the perfmonior to log evertything to a file using

`preprocessor perfmonitor: time 300 file /var/log/snort/snort.stats pktcnt
1000 max_file_size 100000`

And it worked fine. Stats were written after every 300 seconds (or
thereabout)

Now I need the ip-flow info in a separate file. So I use the following line

`preprocessor perfmonitor: time 300 file /var/log/snort/snort.stats pktcnt
1000 max_file_size 100000 flow-ip flow-ip-file /var/log/snort/ipflow.csv
flow-ip-memcap 10000000000`

Again the snort.stats file gets populated normally, but the ipflow.csv file
only updates when snort is stopped.
I think the manual clearly states that "These statistics are printed and
reset at the end of each interval.", so why are the IP Flow stats not
printed at the end of each interval? Am I doing something wrong?

Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121204/c7496562/attachment.html>


More information about the Snort-users mailing list