-
April 12th, 2006, 05:16 PM
#1
Snort- preprocessor perfmonitor
Does anyone have any way to analyze the perfmonitor on a win32 system other than just opening the flat file and looking at the raw data?
I saw two possible linux solutions so far. (As of yet, I can't modify them to run in a win32 environment)
The two linux soltutions I found are perf-graph (pmgraph) and gpss.
I've gotten perf-graph close to working... but I keep getting the following error:
I have the correct version of perl and rrd
C:\path_to\pmgraph>perl pmgraph.pl c:\output\pmgraph\graphs\ c:\pathto\Snort\statsdir\statsfile.txt 1
Processing data from "c:\pathto\Snort\statsdir\statsfile.txt".
Got stats from 1 CPU
Inserting values into temporary RRD database
Generating images
Error: RRD error: Cannot parse DS in 'DEF:drops=C:\DOCUME~1\user\LOCALS~1\Temp\
perfmon-stats.gITMVzCdZP/temp.rrd:drops:AVERAGE'
I'm sure the syntax is correct and I'm sure that the script can read the data. (if there isn't enough data, it tells you you have to wait until there is enough data). I have the preprocessor setup properly as recommened in the pmgraph README.
Using filemon, I can see that it does read the file and write the database into the temporary location above. Though, the temp. filename changes each run. (which I'd expect)
Also, on the site... it says
The current version works with the perfmonitor preprocessor included in Snort 2.4.0, 2.4.1 and 2.4.21, but not older versions. It may or may not work with future versions of Snort.
I'm using Snort 2.4.3
http://people.su.se/~andreaso/perfmon-graph/
I wanted to script this to update the graph file (which I can do if it'd work) and link it to BASE.
Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.
-
April 13th, 2006, 02:15 PM
#2
Well, problem solved. Aparently, I'm the first win32 user to try to use the tool. Either that, or I'm a tool that couldn't figure out how to get it to work on win32. Either way, I received a response from the author of the perl script.
You may be the first one to try pmgraph on Win32 but there shouldn't
be any major issues. The problem here is that rrdtool uses ":" to
separate the fields, so things go bad when you put an msdos/win style
path in there. You can get around this by setting the TEMPDIR
environment variable to something without a drive specification.
Or try http://people.su.se/~andreaso/perfmon-graph/pmgraph.pl which
contains a workaround hack so you don't have to change anything.
I tried it myself and with that fix everything seems to work just fine
on Win32.
/Andreas
Works like a charm now!
Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.
-
April 13th, 2006, 02:27 PM
#3
I'd say that the mere existence of documentation and a PERL script leans towards the latter.
Heheh.
Sorry. Couldn't resist.
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
April 13th, 2006, 03:05 PM
#4
Haha! You're soooo funny. I knew I was opening myself up for cheap shots.
Remember... I'm still a perl novice. Or, even beginner. I'm learning, but slowly as I need/find applications for it. I'm not terribly familiar with the differences between perl coding on *nix and win32.
Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.
-
July 17th, 2006, 02:59 PM
#5
Junior Member
Originally posted here by phishphreek80
Well, problem solved. Aparently, I'm the first win32 user to try to use the tool. Either that, or I'm a tool that couldn't figure out how to get it to work on win32. Either way, I received a response from the author of the perl script.
Works like a charm now!
Hello,
I'm facing the same problem and found this thread thanks to Google.
Can you please explain a little bit how you managed to solve this issue because I have exactly the same one?
Thank you very much,
Ludo
-
July 17th, 2006, 04:42 PM
#6
Andreas Östling actually created a workaround for us. The corrected perl file is @
http://people.su.se/~andreaso/perfmon-graph/pmgraph.pl
Here is my original posting to the snort list
http://archives.neohapsis.com/archiv...6-04/0080.html
And his reply
http://archives.neohapsis.com/archiv...6-04/0083.html
From there, it worked fine.
I've zipped up my working pmgraph folder for ya. In there is the original pmgraph (pmgraph.old) and the newest one (linked above).
I just have a batch file scheduled that goes out and runs the pmgraph.pl and updates the stats.
Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.
-
July 17th, 2006, 06:19 PM
#7
Junior Member
Thank you so much.
Actually, I reviewed the script and I'm not using this one with rrdtool but routers2.cgi, a script you can find here:
http://www.steveshipway.org/software/
I have exactly the same error message that you had with yours.
By the way, I tried to amend "my" .cgi according to the lines that were different between the 2 scripts you provided, that is to say line from line 320.
Unfortunately, all I get is a:
HTTP 500 (error in the program somehow).
If I remove the lines added, all I have is a:
Error: RRDs::graph failed, Cannot parse DS in 'DEF:in=C:\www/c.rrd:ds0:AVERAGE'
Since I have absolutely no knowledge on cgi/perl, can you please help me with this one?
Much appreciated
-
July 17th, 2006, 07:12 PM
#8
Sorry, but at this time I don't have the time to play around with it.
You may want to post your issue on the forum where you got the software.
http://www.steveshipway.org/forum/index.php?c=1
Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.
-
July 17th, 2006, 07:18 PM
#9
Junior Member
Doesn't matter, phishphreek80, don't worry, you have been very helpful
Thank you once again
-
July 19th, 2006, 01:31 PM
#10
Also, in case you guys didn't know.
In Linux only... you can send a USR1 sig to the snort process and it will dump its current stats to your logging mechanism (/var/log/system.log or /var/log/messages)...
(This is not a "linux is better than windows" thing) But I always make the recommendation NOT to run Snort on Windows.
Windows kernel isn't as fast.. Its a bad idea to run an IDS on a Windows box anyway... It's not made for Windows (yes it's COMPILED for windows, but not made for it)
I also suggest that anyone running <2.4.5 upgrade to at least that, if not 2.6.0.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|