Snort mailing list archives
Re: Snort init script `stats` function
From: Bill Parker via Snort-devel <snort-devel () lists snort org>
Date: Wed, 23 Aug 2017 10:04:47 -0700
FYI,
Syslog can rate limit information on snort startup and shutdown as
referenced in this document:
https://s3.amazonaws.com/snort-org-site/production/document_files/files/000/000/025/original/snort-rate-limiting-rev1.pdf?AWSAccessKeyId=AKIAIXACIED2SPMSC7GA&Expires=1503511439&Signature=nsnXimFvlZp%2Bm0XqdekPUaSyMDw%3D
or
https://www.snort.org/documents (under deployment guides).
Bill
On Wed, Aug 23, 2017 at 4:41 AM, Peter Gallagher via Snort-devel <
snort-devel () lists snort org> wrote:
Thinking about this further, there is a possibility that additional logs could be interspersed between the snort output in the syslog. So it would be prudent to increase the number of lines returned to be >147 in order to mitigate against this (e.g. 200), this should allows us to capture all 148 lines of snort output. Regards, Peter On 23 August 2017 at 12:31, Peter Gallagher <gallagher.peter () gmail com> wrote:The current `stats` function in the init.d script has been very unreliable for me, due to variations in the `startdate` variable recorded in the script and the timestamp when the log lines are actually written by snort. Accordingly I have modified my init script to use the following: tac /var/log/messages | grep -m1 '*** Caught Dump Stats-Signal' -B147 | tac | grep snort.*: | cut -d: -f4- This example of the basic `stats` function does the following: 1. Uses `tac` to reverse the order of `$SYSLOG` 2. Greps for the first occurrence of the snort stats start signature and includes an additional 147 lines of output 3. Reverses the order (again using `tac`) to return it to normal order 4. Filters out any non-snort lines I think this is a more reliable approach. The only risk is if the stats aren't dumped correctly it could return an earlier collection of statistics, however I feel this is highly unlikely. I looked for a public repository to provide a diff or pull request but could not find any. Please let me know if you think this is suitable for inclusion for future releases. Regards, Peter_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Snort init script `stats` function Peter Gallagher via Snort-devel (Aug 23)
- Re: Snort init script `stats` function Peter Gallagher via Snort-devel (Aug 23)
- Re: Snort init script `stats` function Bill Parker via Snort-devel (Aug 23)
- Re: Snort init script `stats` function Peter Gallagher via Snort-devel (Aug 23)