[Snort-users] Snort PerfMonitor - IP-Flow behaviour

Dheeraj Gupta dheeraj.gupta4 at ...11827...
Tue Dec 4 09:55:21 EST 2012


Well it is the other way round - I need snort but some flow monitoring
would be nice too ;)
Anyways I'll surely look into the tool

Thanks


On Tue, Dec 4, 2012 at 6:22 PM, <elof at ...6680...> wrote:

>
> Not an answer, but...
>
> If you don't actually need snort but rather only need lots of flow stats,
> I recommend you take a look at Argus (http://www.qosient.com/argus/**).
>
> /Elof
>
>
>
> On Tue, 4 Dec 2012, Dheeraj Gupta wrote:
>
>  Hi,
>> I am trying to use snort's perfmonitor pre-processor to find out traffic
>> flowing between IP pairs.
>> Earlier I configured the perfmonior to log evertything to a file using
>>
>> `preprocessor perfmonitor: time 300 file /var/log/snort/snort.stats pktcnt
>> 1000 max_file_size 100000`
>>
>> And it worked fine. Stats were written after every 300 seconds (or
>> thereabout)
>>
>> Now I need the ip-flow info in a separate file. So I use the following
>> line
>>
>> `preprocessor perfmonitor: time 300 file /var/log/snort/snort.stats pktcnt
>> 1000 max_file_size 100000 flow-ip flow-ip-file /var/log/snort/ipflow.csv
>> flow-ip-memcap 10000000000`
>>
>> Again the snort.stats file gets populated normally, but the ipflow.csv
>> file
>> only updates when snort is stopped.
>> I think the manual clearly states that "These statistics are printed and
>> reset at the end of each interval.", so why are the IP Flow stats not
>> printed at the end of each interval? Am I doing something wrong?
>>
>> Thanks
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121204/f158390e/attachment.html>


More information about the Snort-users mailing list