[Snort-users] Snort PerfMonitor - IP-Flow behaviour

elof at ...6680... elof at ...6680...
Tue Dec 4 07:52:17 EST 2012


Not an answer, but...

If you don't actually need snort but rather only need lots of flow stats, 
I recommend you take a look at Argus (http://www.qosient.com/argus/).

/Elof


On Tue, 4 Dec 2012, Dheeraj Gupta wrote:

> Hi,
> I am trying to use snort's perfmonitor pre-processor to find out traffic
> flowing between IP pairs.
> Earlier I configured the perfmonior to log evertything to a file using
>
> `preprocessor perfmonitor: time 300 file /var/log/snort/snort.stats pktcnt
> 1000 max_file_size 100000`
>
> And it worked fine. Stats were written after every 300 seconds (or
> thereabout)
>
> Now I need the ip-flow info in a separate file. So I use the following line
>
> `preprocessor perfmonitor: time 300 file /var/log/snort/snort.stats pktcnt
> 1000 max_file_size 100000 flow-ip flow-ip-file /var/log/snort/ipflow.csv
> flow-ip-memcap 10000000000`
>
> Again the snort.stats file gets populated normally, but the ipflow.csv file
> only updates when snort is stopped.
> I think the manual clearly states that "These statistics are printed and
> reset at the end of each interval.", so why are the IP Flow stats not
> printed at the end of each interval? Am I doing something wrong?
>
> Thanks
>




More information about the Snort-users mailing list