« Kubuntu Server, Nagios and Mysql | Home | PGP Desktop for Mac »
It has been a while.
By klard | December 30, 2007
I have completely switched focus in the last year from primarily development to security. That being said I have been struggling with getting snort to run on a gigabit ethernet tap. I compiled pf ring into a redhat kernel on a quad core 64 bit Opteron platform. While the platform and the network interface can keep up snort is really struggling to keep up.
In an effort to find out what snort is doing I enabled the performance monitor but had a darned struggle figuring out exactly what was being logged in Snort 2.8.1. The fields are defined in perf-base.c in the snort code but I have taken the liberty of copying and pasting them here to possibly save someone some time.
I will post later on the steps to get pf ring runnign on a 64 bit platform.
* unixtime(in secs since epoch)
* %pkts dropped
* mbits/sec (wire)
* alerts/sec
* K-Packets/Sec (wire)
* Avg Bytes/Pkt (wire)
* %bytes pattern matched
* syns/sec
* synacks/sec
* new-sessions/sec (tcp stream cache)
* del-sessions/sec (tcp stream cache)
* total-sessions open (tcp stream cache)
* max-sessions, lifetime (tcp stream cache)
* streamflushes/sec
* streamfaults/sec
* streamtimeouts
* fragcreates/sec
* fragcompletes/sec
* fraginserts/sec
* fragdeletes/sec
* fragflushes/sec
* current-frags open (frag cache)
* max-frags (frag cache)
* fragtimeouts
* fragfaults
* num cpus (following triple is repeated for each CPU)
* %user-cpu usage
* %sys-cpu usage
* %idle-cpu usage
* mbits/sec (wire)
* mbits/sec (ip fragmented)
* mbits/sec (ip reassembled)
* mbits/sec (tcp stream rebuilt)
* mbits/sec (app layer)
* Avg Bytes/Pkt (wire)
* Avg Bytes/Pkt (ip fragmented)
* Avg Bytes/Pkt (ip reassembled)
* Avg Bytes/Pkt (tcp stream rebuilt)
* Avg Bytes/Pkt (app layer)
* K-Packets/Sec (wire)
* K-Packets/Sec (ip fragmented)
* K-Packets/Sec (ip reassembled)
* K-Packets/Sec (tcp stream rebuilt)
* K-Packets/Sec (app layer)
* Pkts recieved
* Pkts dropped
* Blocked-KPackets (wire)
* udp-sessions
* max-udp-sessions
* del-udp-sessions/sec (udp stream cache)
* new-udp-sessions/sec (udp stream cache)
* max-sessions, interval (tcp stream cache)
* curr-tcp-sessions-initializing (tcp stream cache, of total-sessions open)
* curr-tcp-sessions-established (tcp stream cache, of total-sessions open)
* curr-tcp-sessions-closing (tcp stream cache, of total-sessions open)
* tcp-sessions-mistream/sec (tcp stream cache, of new-sessions/sec)
* tcp-sessions-closed/sec (tcp stream cache, of del-sessions/sec)
* tcp-sessions-timedout/sec (tcp stream cache, of del-sessions/sec)
* tcp-sessions-pruned/sec (tcp stream cache, of del-sessions/sec)
* tcp-sessions-dropped_async/sec (tcp stream cache, of del-sessions/sec)
* hosts in attribute table
* attribute table reloads
Comments are closed.