[Snort-users] snort.stats key-value mapping (Solved)

Karolis karolis.cepulis at ...11827...
Mon Apr 13 13:29:01 EDT 2015


Hi Juan,

I have found  the root cause of the problem. Snort all the time outputted
key-value pairs correctly.  It seems that snort upgrade changed the number
of statistics monitored. I have formed the array exactly as you are
"head'ed" the keys and "tail'ed" the latest values whats why they do not
correlate anymore. I will modify the script so it reads keys from the end
of the file to avoid such problems in the future.

Karolis


On Mon, Apr 13, 2015 at 10:59 AM, Juan Jesus Prieto <jjprieto at ...16842...>
wrote:

>  Hi Karolis,
>
>   Could you attach a stat file content example? every key should be
> accompanied with their corresponding value, one on one.
>
> Regards.
>
>
> El jue, 09-04-2015 a las 19:46 +0300, Karolis escribió:
>
> Hi Juan,
>
>
>
>  Thanks for reply. I have got same associative array but can I rely on
> it?
>
>  As I mentioned there are 96 keys and 131 values in the snort.stats file.
>
>  How do you know that first 96 keys correspond to the first 96 values
>
>  on one to one relationship and only the last values misses keys?
>
>  Can it be what there are gaps in key value pairs eg. key 10 correspond to
> value 12?
>
>
>
>  Karolis
>
>
>
>
>
>
>  On Mon, Apr 6, 2015 at 11:14 AM, Juan Jesus Prieto <
> jjprieto at ...16842...> wrote:
>
>  Hi Karolis,
>
>   The manual is out-of-date at this point. I use scripting for dinamically
> map this pairs. For example:
>
> # declare -A v; \
> keys=( $(head /var/log/snort/snort.stats -n2 | tail -n1 | sed 's/^#//' | tr ',' ' ') ); \
> count=0; \
> for n in $(tail /var/log/snort/snort.stats -n1 | tr ',' ' '); do \
>    v[${keys[$count]}]=$n; \
>    count=$(($count+1)); \
>    done; \
> echo "stream5_mem_in_use: ${v['stream5_mem_in_use']}"; \
> echo "curr_tcp_sessions_established: ${v['curr_tcp_sessions_established']}"
> stream5_mem_in_use: 13950060
> curr_tcp_sessions_established: 5195
>
>
>
> This small script will map into a hash (named 'v') all pairs key/value and
> present last values from stats file (stream5_mem_in_use and
> curr_tcp_sessions_established in this example).
>
> Another option is to use my snmp passthrou agent:
>
> https://github.com/redBorder/rb_snmp_pass
>
> You will need to adapt it for your case.
>
>
>
> El mar, 31-03-2015 a las 10:03 +0300, Karolis escribió:
>
> Hi,
>
> I am trying to map perfmonitor preprocessors statistics keys to values.
>
>
> config:
> preprocessor perfmonitor: time 300 file
> /nsm/sensor_data/"sensor-name"/snort.stats pktcnt 10000
>
>
>
> snort manual   <http://manual.snort.org/node88.html>states "There are
> over 100 individual statistics included. A header line is output at startup
> and rollover that labels each column." although only 75 keys are listed.
>
>
> snort.stats file has 96 keys  and 131 values.
>
>
> How can I correctly map keys to values?
>
>
> Karolis
>
>
>
>
>
>
>    ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming The Go Parallel Website, sponsored
> by Intel and developed in partnership with Slashdot Media, is your hub for all
> things parallel software development, from weekly thought leadership blogs to
> news, videos, case studies, tutorials and more. Take a look and join the
> conversation now. http://goparallel.sourceforge.net/
> _______________________________________________ Snort-users mailing list Snort-users at lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
>
>
>
>
>
> ------------------------------------------------------------------------------
> BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
> Develop your own process in accordance with the BPMN 2 standard
> Learn Process modeling best practices with Bonita BPM through live
> exercises
> http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual-
> event?utm_
> source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
>
>  ------------------------------------------------------------------------------
> BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
> Develop your own process in accordance with the BPMN 2 standard
> Learn Process modeling best practices with Bonita BPM through live exerciseshttp://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
> source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
> _______________________________________________ Snort-users mailing list Snort-users at lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
>
>
>
>
> ------------------------------------------------------------------------------
> BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
> Develop your own process in accordance with the BPMN 2 standard
> Learn Process modeling best practices with Bonita BPM through live
> exercises
> http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual-
> event?utm_
> source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150413/50882499/attachment.html>


More information about the Snort-users mailing list