Wednesday, May 30, 2007

Snort Stats

While spending my time as an IDS analyst, one of the major issues we had was insuring that the IDS sensors were seeing traffic, or were seeing the right amount of traffic. I currently do not do full time IDS anymore, but I still have that problem in the back of my mind. This led me to start experimenting with the timestats option in Snort. You can enable this at compile time with the "--enable-timestats" switch.

By default it dumps Snort's hourly stats to the console. To keep all the stats in an archival state, I send all Snort output to a file I call "stats" in my Snort log directory. I do this at the command line as I am only running Snort on my home system.

./snort -c ../etc/snort.conf -l /snort -i fxp1 -X -m 022 >& /log/snort/stats

This process works well for my home net however, on a production box this would be in a startup script and the output could be sent to some sort of database.

Every hour Snort will log its stats to the file. This can then be viewed by the analyst to ensure that there are no deviations in traffic visibility.

# tail -n 23 stats
Hourly Statistics Report

Packet analysis time averages:

Packets Received per hour is: 12763
Packets Received per minute is: 212
Packets Received per second is: 3

Packets Dropped in the last hour: 0

Packet Breakdown by Protocol:

TCP: 9206 (72.136%)

UDP: 751 (5.885%)

ICMP: 653 (5.117%)

ARP: 364 (2.852%)

EAPOL: 0 (0.000%)

IPv6: 0 (0.000%)

ETHLOOP: 0 (0.000%)

IPX: 0 (0.000%)

FRAG: 0 (0.000%)

OTHER: 1788 (14.010%)
DISCARD: 0 (0.000%)

As you can see the majority of this traffic is TCP and a fair amount of packets were seen in the last hour in total(Remember this is a home network!). If my span port were mis-configured or removed, this would be reflected in the above totals helping the analyst to diagnose the problem.