[Snort-users] snort.stats key-value mapping

Juan Jesus Prieto jjprieto at ...16842...
Mon Apr 6 04:14:09 EDT 2015


Hi Karolis,

  The manual is out-of-date at this point. I use scripting for
dinamically map this pairs. For example:


# declare -A v; \
keys=( $(head /var/log/snort/snort.stats -n2 | tail -n1 | sed 's/^#//' | tr ',' ' ') ); \
count=0; \
for n in $(tail /var/log/snort/snort.stats -n1 | tr ',' ' '); do \
   v[${keys[$count]}]=$n; \
   count=$(($count+1)); \
   done; \
echo "stream5_mem_in_use: ${v['stream5_mem_in_use']}"; \
echo "curr_tcp_sessions_established: ${v['curr_tcp_sessions_established']}"
stream5_mem_in_use: 13950060
curr_tcp_sessions_established: 5195



This small script will map into a hash (named 'v') all pairs key/value
and present last values from stats file (stream5_mem_in_use and
curr_tcp_sessions_established in this example).

Another option is to use my snmp passthrou agent:

https://github.com/redBorder/rb_snmp_pass

You will need to adapt it for your case.

El mar, 31-03-2015 a las 10:03 +0300, Karolis escribió:
> Hi,
> 
> 
> 
> I am trying to map perfmonitor preprocessors statistics keys to
> values.
> 
> 
> config:
> preprocessor perfmonitor: time 300
> file /nsm/sensor_data/"sensor-name"/snort.stats pktcnt 10000
> 
> 
> 
> snort manual  states "There are over 100 individual statistics
> included. A header line is output at startup and rollover that labels
> each column." although only 75 keys are listed.
> 
> 
> snort.stats file has 96 keys  and 131 values. 
> 
> 
> How can I correctly map keys to values?
> 
> 
> Karolis
> 
> 
> 
> 
> 
> 
> 
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming The Go Parallel Website, sponsored
> by Intel and developed in partnership with Slashdot Media, is your hub for all
> things parallel software development, from weekly thought leadership blogs to
> news, videos, case studies, tutorials and more. Take a look and join the 
> conversation now. http://goparallel.sourceforge.net/
> _______________________________________________ Snort-users mailing list Snort-users at lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150406/ca325f8f/attachment.html>


More information about the Snort-users mailing list