preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt 10000 flow-ip-file /var/snort/ipflow.csv flow-ip
As you can see, I am logging snort performance data to /var/snort/snort.stats every 5 minutes or 10000 packets. In addition, I'm logging the flow-ip data to /var/snort/ipflow.csv.
The flow-ip data can be used to help identify the top talkers on your network and is useful for troubleshooting performance issues, such as CPU spikes, in snort. But because the output is contained in a CSV file, it isn't very easy to read.
I wrote a small perl script that uses bash commands, such as awk, to make it a little easier to read. The script adds together the total TCP bytes from Host A with the total TCP bytes from Host B and outputs the top 10 in descending order by the total TCP bytes sent between the two hosts.
It does not look for unique hosts, though. And it does the calculations per line in the CSV. So if your CSV file contains multiple lines with the same hosts, and they all happen to have more TCP traffic than the other lines in the CSV, then those hosts will be listed multiple times in the output, sorted only by differences in the total TCP bytes transferred between them.
Feel free to modify and use the code any way you see fit. You can execute the code by saving it to a file, such as flowipparser.pl and then calling it with your CSV file as an argument from the command line: ./flowipparser.pl ipflow.csv
The output to the console will contain three columns: Host A IP Address, Host B IP Address, and the total TCP bytes transferred between the two hosts.
Here's the code:
#!/usr/bin/perl -w
$INPUTFILE="$ARGV[0]";
system qq(awk -F "," '{print \$1, \$2, \$4, \$6}' $INPUTFILE | sort -k3n,3 | sort -r -n -k3 | head | awk -F " " '{ print \$1, \$2, sum=\$3+\$4 }' | sort -r -n -k3 );
No comments:
Post a Comment