[Snort-users] snort.stats key-value mapping

Juan Jesus Prieto jjprieto at ...16842...
Mon Apr 13 03:59:07 EDT 2015


Hi Karolis,

  Could you attach a stat file content example? every key should be
accompanied with their corresponding value, one on one.

Regards.

El jue, 09-04-2015 a las 19:46 +0300, Karolis escribió:
> Hi Juan,
> 
> 
> Thanks for reply. I have got same associative array but can I rely on
> it? 
> As I mentioned there are 96 keys and 131 values in the snort.stats
> file.
> How do you know that first 96 keys correspond to the first 96 values
> on one to one relationship and only the last values misses keys?
> Can it be what there are gaps in key value pairs eg. key 10 correspond
> to value 12?
> 
> 
> Karolis 
> 
> 
> 
> 
> 
> 
> On Mon, Apr 6, 2015 at 11:14 AM, Juan Jesus Prieto
> <jjprieto at ...16842...> wrote:
> 
>         Hi Karolis,
>         
>           The manual is out-of-date at this point. I use scripting for
>         dinamically map this pairs. For example:
>         
>         
>         # declare -A v; \
>         keys=( $(head /var/log/snort/snort.stats -n2 | tail -n1 | sed 's/^#//' | tr ',' ' ') ); \
>         count=0; \
>         for n in $(tail /var/log/snort/snort.stats -n1 | tr ',' ' '); do \
>            v[${keys[$count]}]=$n; \
>            count=$(($count+1)); \
>            done; \
>         echo "stream5_mem_in_use: ${v['stream5_mem_in_use']}"; \
>         echo "curr_tcp_sessions_established: ${v['curr_tcp_sessions_established']}"
>         stream5_mem_in_use: 13950060
>         curr_tcp_sessions_established: 5195
>         
>         
>         
>         This small script will map into a hash (named 'v') all pairs
>         key/value and present last values from stats file
>         (stream5_mem_in_use and curr_tcp_sessions_established in this
>         example).
>         
>         Another option is to use my snmp passthrou agent:
>         
>         https://github.com/redBorder/rb_snmp_pass
>         
>         You will need to adapt it for your case.
>         
>         
>         
>         El mar, 31-03-2015 a las 10:03 +0300, Karolis escribió: 
>         
>         > Hi,
>         > 
>         > I am trying to map perfmonitor preprocessors statistics keys
>         > to values.
>         > 
>         > 
>         > config:
>         > preprocessor perfmonitor: time 300
>         > file /nsm/sensor_data/"sensor-name"/snort.stats pktcnt 10000
>         > 
>         > 
>         > 
>         > snort manual  states "There are over 100 individual
>         > statistics included. A header line is output at startup and
>         > rollover that labels each column." although only 75 keys are
>         > listed.
>         > 
>         > 
>         > snort.stats file has 96 keys  and 131 values. 
>         > 
>         > 
>         > How can I correctly map keys to values?
>         > 
>         > 
>         > Karolis
>         > 
>         > 
>         > 
>         > 
>         > 
>         > 
>         > 
>         > ------------------------------------------------------------------------------
>         > Dive into the World of Parallel Programming The Go Parallel Website, sponsored
>         > by Intel and developed in partnership with Slashdot Media, is your hub for all
>         > things parallel software development, from weekly thought leadership blogs to
>         > news, videos, case studies, tutorials and more. Take a look and join the 
>         > conversation now. http://goparallel.sourceforge.net/
>         > _______________________________________________ Snort-users mailing list Snort-users at lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
>         
>         
>         
>         
>         
>         ------------------------------------------------------------------------------
>         BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
>         Develop your own process in accordance with the BPMN 2
>         standard
>         Learn Process modeling best practices with Bonita BPM through
>         live exercises
>         http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
>         source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
>         _______________________________________________
>         Snort-users mailing list
>         Snort-users at lists.sourceforge.net
>         Go to this URL to change user options or unsubscribe:
>         https://lists.sourceforge.net/lists/listinfo/snort-users
>         Snort-users list archive:
>         http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>         
>         Please visit http://blog.snort.org to stay current on all the
>         latest Snort news!
> 
> 
> 
> 
> ------------------------------------------------------------------------------
> BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
> Develop your own process in accordance with the BPMN 2 standard
> Learn Process modeling best practices with Bonita BPM through live exercises
> http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
> source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
> _______________________________________________ Snort-users mailing list Snort-users at lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150413/dd115495/attachment.html>


More information about the Snort-users mailing list