Re: snort.stats analysis

["Castle, Shane" <scastle () bouldercounty org>]

I'm afraid that I do not believe the stats produced. I need some verification that it is not lying to me. For instance, 
it appears that in some cases zero values are thrown out rather than going into average calculations: the loss 
percentage is seen as 0.000 in many lines of the snort.stats file but the minimum reported when -d is requested is 
greater than zero.

Also, it croaks with "uninitialized value" or "Invalid data set" when non-standard output is requested ("-h" for 
example).

-- 
Shane Castle
Data Security Mgr, Boulder County IT
CISSP GSEC GCIH


-----Original Message-----
From: waldo kitty [mailto:wkitty42 () windstream net] 
Sent: Monday, July 16, 2012 16:01
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] snort.stats analysis

On 7/16/2012 13:45, Joel Esler wrote:
> http://www.snort.org/snort-downloads/additional-downloads/#thepigdoktah

however, in retrospect, since i wrote my previous, i've run thepigdoktah and 
only needed to comment out the PDF perl tool because it is not available in my 
environment for security reasons... in any case, the standard output kinda took 
me by surprise...

my current stats file is only some 6.8Megs but it contains 1.5 years of stats 
entries... 183 days, to be more exact... i was surprised to see that we've only 
had 2% packet loss on the high side and the average is .183%... that may not be 
a lot for some and it may be way too much for others but considering this 
environment and the tight memory constraints, it is acceptable... now to play a 
bit more and see if any real numbers other than just averages can be teased 
out... i guess, without digging into the code, that the HTML will be better ;)

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!