Wednesday, September 1, 2010

Snort Performance Stats Tool Info

I have noticed that there are not a ton of tools out there (definitely not many currently maintained) that can be used to parse the information from the snort performance monitor.  As such, I am considering writing one and wanted to see what the interest would be.  If there is indeed interest, then I would also like to know what format(s) and types of information would be most useful to the community.  Of course I know what will be useful to myself, and will likely be writing about that in the near future.  For now, here is some sample output from a quick perl parser that I wrote today.

$ ./ /var/tmp/snortstat

-= Tha Pig Doktah 0.1 Dev =-
Copyright (C) 2010 JJ Cummings

Report Info:
    Processed: /var/tmp/snortstat
    First Entry: Wed Sep  1 11:34:05 2010
    Last Entry: Wed Sep  1 22:27:47 2010
    Time Span: 0 days, 10 hours, 53 minutes and 42 seconds

    High: 6.683 Mbits/Sec | Wed Sep  1 12:54:00 2010
    Low: 0.007 Mbits/Sec | Wed Sep  1 18:14:18 2010
    Avg: 0.276 Mbits/Sec
% Packet Loss:
    High: 3.817% | Wed Sep  1 20:13:39 2010
    Low: 0.000% | Wed Sep  1 22:22:47 2010
    Avg: 0.095%

Additional Info:
    Avg Pkt Size: 363 bytes
    Avg Syns/Sec: 0.153
    Avg SynAcks/Sec: 0.105
    Avg Alerts/Sec: 0.001
    Avg Current Cached Sessions: 2326

Obviously this is was only as a quick test and does not include all of the important pieces of data.  Please feel free to hit me up in #snort (on freenode),  twitter, email(if'n you knows it), or post a comment here.



ddp said...

Something like this would be very helpful. There's mention of a snort plugin being worked on for collectd, but I don't know if it is really being worked on or not.

JJC said...

I'll have a look at the plug-in, I have also updated this post with some graphical output etc...