Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Snort- preprocessor perfmonitor

  1. #1
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325

    Snort- preprocessor perfmonitor

    Does anyone have any way to analyze the perfmonitor on a win32 system other than just opening the flat file and looking at the raw data?

    I saw two possible linux solutions so far. (As of yet, I can't modify them to run in a win32 environment)

    The two linux soltutions I found are perf-graph (pmgraph) and gpss.

    I've gotten perf-graph close to working... but I keep getting the following error:
    I have the correct version of perl and rrd

    C:\path_to\pmgraph>perl pmgraph.pl c:\output\pmgraph\graphs\ c:\pathto\Snort\statsdir\statsfile.txt 1
    Processing data from "c:\pathto\Snort\statsdir\statsfile.txt".
    Got stats from 1 CPU
    Inserting values into temporary RRD database
    Generating images
    Error: RRD error: Cannot parse DS in 'DEF:drops=C:\DOCUME~1\user\LOCALS~1\Temp\
    perfmon-stats.gITMVzCdZP/temp.rrd:drops:AVERAGE'
    I'm sure the syntax is correct and I'm sure that the script can read the data. (if there isn't enough data, it tells you you have to wait until there is enough data). I have the preprocessor setup properly as recommened in the pmgraph README.

    Using filemon, I can see that it does read the file and write the database into the temporary location above. Though, the temp. filename changes each run. (which I'd expect)

    Also, on the site... it says

    The current version works with the perfmonitor preprocessor included in Snort 2.4.0, 2.4.1 and 2.4.21, but not older versions. It may or may not work with future versions of Snort.
    I'm using Snort 2.4.3

    http://people.su.se/~andreaso/perfmon-graph/

    I wanted to script this to update the graph file (which I can do if it'd work) and link it to BASE.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  2. #2
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    Well, problem solved. Aparently, I'm the first win32 user to try to use the tool. Either that, or I'm a tool that couldn't figure out how to get it to work on win32. Either way, I received a response from the author of the perl script.

    You may be the first one to try pmgraph on Win32 but there shouldn't
    be any major issues. The problem here is that rrdtool uses ":" to
    separate the fields, so things go bad when you put an msdos/win style
    path in there. You can get around this by setting the TEMPDIR
    environment variable to something without a drive specification.

    Or try http://people.su.se/~andreaso/perfmon-graph/pmgraph.pl which
    contains a workaround hack so you don't have to change anything.
    I tried it myself and with that fix everything seems to work just fine
    on Win32.

    /Andreas
    Works like a charm now!
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  3. #3
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    I'd say that the mere existence of documentation and a PERL script leans towards the latter.

    Heheh.

    Sorry. Couldn't resist.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  4. #4
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    Haha! You're soooo funny. I knew I was opening myself up for cheap shots.

    Remember... I'm still a perl novice. Or, even beginner. I'm learning, but slowly as I need/find applications for it. I'm not terribly familiar with the differences between perl coding on *nix and win32.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  5. #5
    Junior Member
    Join Date
    Jul 2006
    Posts
    3
    Originally posted here by phishphreek80
    Well, problem solved. Aparently, I'm the first win32 user to try to use the tool. Either that, or I'm a tool that couldn't figure out how to get it to work on win32. Either way, I received a response from the author of the perl script.



    Works like a charm now!
    Hello,

    I'm facing the same problem and found this thread thanks to Google.
    Can you please explain a little bit how you managed to solve this issue because I have exactly the same one?

    Thank you very much,
    Ludo

  6. #6
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    Andreas Östling actually created a workaround for us. The corrected perl file is @
    http://people.su.se/~andreaso/perfmon-graph/pmgraph.pl

    Here is my original posting to the snort list
    http://archives.neohapsis.com/archiv...6-04/0080.html

    And his reply
    http://archives.neohapsis.com/archiv...6-04/0083.html

    From there, it worked fine.

    I've zipped up my working pmgraph folder for ya. In there is the original pmgraph (pmgraph.old) and the newest one (linked above).

    I just have a batch file scheduled that goes out and runs the pmgraph.pl and updates the stats.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  7. #7
    Junior Member
    Join Date
    Jul 2006
    Posts
    3
    Thank you so much.

    Actually, I reviewed the script and I'm not using this one with rrdtool but routers2.cgi, a script you can find here:
    http://www.steveshipway.org/software/

    I have exactly the same error message that you had with yours.
    By the way, I tried to amend "my" .cgi according to the lines that were different between the 2 scripts you provided, that is to say line from line 320.
    Unfortunately, all I get is a:
    HTTP 500 (error in the program somehow).

    If I remove the lines added, all I have is a:
    Error: RRDs::graph failed, Cannot parse DS in 'DEF:in=C:\www/c.rrd:ds0:AVERAGE'

    Since I have absolutely no knowledge on cgi/perl, can you please help me with this one?

    Much appreciated

  8. #8
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    Sorry, but at this time I don't have the time to play around with it.

    You may want to post your issue on the forum where you got the software.
    http://www.steveshipway.org/forum/index.php?c=1
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  9. #9
    Junior Member
    Join Date
    Jul 2006
    Posts
    3
    Doesn't matter, phishphreek80, don't worry, you have been very helpful

    Thank you once again

  10. #10
    Also, in case you guys didn't know.

    In Linux only... you can send a USR1 sig to the snort process and it will dump its current stats to your logging mechanism (/var/log/system.log or /var/log/messages)...

    (This is not a "linux is better than windows" thing) But I always make the recommendation NOT to run Snort on Windows.

    Windows kernel isn't as fast.. Its a bad idea to run an IDS on a Windows box anyway... It's not made for Windows (yes it's COMPILED for windows, but not made for it)

    I also suggest that anyone running <2.4.5 upgrade to at least that, if not 2.6.0.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •