[Snort-users] Snort+ : loging in afpacket mode

Meridoff oagvozd at gmail.com
Tue Oct 2 10:11:16 EDT 2018


ср, 26 сент. 2018 г. в 1:05, Meridoff <oagvozd at gmail.com>:

> Yes, i think it is true. My test was only from one peer, so it processed
> by one daq thread so by one packet thread which writes its own log. (for
> fanout). Without hashed fanout - several threads that do the same
> processing of one flow - we have several the logs of alerts.
>

1) Is snort3 supports writing alerts to only one file by several threads?
For example if I recompile snort in a way that no runprefix will be added
to log/alert file - so all threads will write to one file.

They already do, but I'am afraid that snort3 doesn't support this and
resulting log file will have mixed (shufling) data .

2) Also  - does  a way exist (except ,of cause, scripting by myself)  to
combine togather several alert_logs.txt.N - logs from different threads ?
For example by time - in a way alerts appear during timeline..



>
> пн, 24 сент. 2018 г. в 20:27, Shravan Rangarajuvenkata (shrarang) <
> shrarang at cisco.com>:
>
>> Snort creates one DAQ instance per-thread and each DAQ instance creates
>> one packet socket. When fanout mode is used, each packet is sent to only
>> one socket in the fanout group. When you set fanout_type to hash, all
>> packets belonging to one flow are sent to one socket. Socket is selected
>> based on the hash created for the flow. And the hash is a function of the
>> network addresses of the flow. Please refer to “man packet” for more
>> information regarding fanout options.
>>
>>
>>
>> I am assuming when you were using fanout options, both the scp flows went
>> to the same snort thread and therefore, you see only one alert file. When
>> you were not using fanout options, each packet was being sent to all the
>> snort threads and each thread was creating alerts. And thus, you had 4
>> alerts files with duplicate alerts.
>>
>>
>>
>> To confirm the above, can you please provide us more information?
>>
>>    1. Were you seeing the same alerts in all 4 log files when you were
>>    not using fanout options?
>>    2. Did you miss any alerts when you used the fanout options? You
>>    should not see any duplicate alerts when using fanout but all the unique
>>    alerts should still be generated.
>>
>>
>>
>> Thanks,
>>
>> Shravan
>>
>>
>> -------- Forwarded Message --------
>>
>> *Subject: *
>>
>> [Snort-users] Snort+ : loging in afpacket mode
>>
>> *Date: *
>>
>> Thu, 20 Sep 2018 20:46:03 +0300
>>
>> *From: *
>>
>> Meridoff via Snort-users <snort-users at lists.snort.org>
>> <snort-users at lists.snort.org>
>>
>> *Reply-To: *
>>
>> Meridoff <oagvozd at gmail.com> <oagvozd at gmail.com>
>>
>> *To: *
>>
>> snort-users at lists.snort.org
>>
>>
>>
>> Hello
>>
>> I run 4 packet threads if afpacket tap mode in alert_fast mode.
>>
>> I can see 4 log files (0..4_alert_fast.txt) which are the same - cause 4
>> daq threads run.
>>
>>
>>
>> Now I set fanout_type to hash (and fanout_flag to rollover or defrag )
>> and I see that logging go to in only 1 file (e.g. 1_alert_fast.txt).
>>
>>
>>
>> I test all this by one rule "tcp any any" and 2 scp process to generate
>> traffic (2 Big file transfer in parallel)
>>
>>
>>
>> How it (difference in number of log files that are writen) can be
>> explained ?
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20181002/6451e54d/attachment.html>


More information about the Snort-users mailing list