[Snort-users] Periodic save rule profiling logs

waldo kitty wkitty42 at ...14940...
Mon Dec 23 14:27:09 EST 2013


On 12/23/2013 7:39 AM, Kiryukhin Andrey wrote:
> Hi. Who knows if there is a  function of periodic saving  rule profiling
> logs to a file?   In docs i found only how get that logs after snort
> exit, but in my case i use snort as daemon and want to get it in process.

you need to be more specific with your term "rule profiling"...

snort can be configured to write a profile log every X minutes... this can also 
be done for every Y kbytes of traffic... the two can be combined so that the 
entry is not written if there's been no or not enough traffic to warrant writing 
the entry...

BUT the above is not for per rule or preprocesor profiling... for those i 
schedule triggering snort with SIG* (eg: SIGHUP)... if your snort has been 
compiled with the option to do so, one of the SIG* signals will cause these 
profiling logs to be written... IIRC, you want to have snort name them with the 
trailing xxxxxxxxxxxx naming format in the same way that the default PCAP 
snort.log.xxxxxxxxxxxx files are named...

-- 
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.




More information about the Snort-users mailing list