Snort does a lot of work and outputs some useful statistics when it is done. Many of these are self-explanatory. The others are summarized below. This does not include all possible output data, just the basics.
Timing Statistics —————–
This section provides basic timing statistics. It includes total seconds and packets as well as packet processing rates. The rates are based on whole seconds, minutes, etc. and only shown when non-zero.
Example:
=============================================================================== Run time for packet processing was 175.856509 seconds Snort processed 3716022 packets. Snort ran for 0 days 0 hours 2 minutes 55 seconds Pkts/min: 1858011 Pkts/sec: 21234 ===============================================================================
Packet I/O Totals —————–
This section shows basic packet acquisition and injection peg counts obtained from the DAQ. If you are reading pcaps, the totals are for all pcaps combined, unless you use –pcap-reset, in which case it is shown per pcap.
Outstanding indicates how many packets are buffered awaiting processing. The way this is counted varies per DAQ so the DAQ documentation should be consulted for more info.
Filtered packets are not shown for pcap DAQs.
Injected packets are the result of active response which can be configured for inline or passive modes.
Example:
=============================================================================== Packet I/O Totals: Received: 3716022 Analyzed: 3716022 (100.000%) Dropped: 0 ( 0.000%) Filtered: 0 ( 0.000%) Outstanding: 0 ( 0.000%) Injected: 0 ===============================================================================
Protocol Statistics ——————-
Traffic for all the protocols decoded by Snort is summarized in the breakdown section. This traffic includes internal “pseudo-packets” if preprocessors such as frag3 and stream5 are enabled so the total may be greater than the number of analyzed packets in the packet I/O section.
Disc counts are discards due to basic encoding integrity flaws that prevents Snort from decoding the packet.
Other includes packets that contained an encapsulation that Snort doesn’t decode.
S5 G 1/2 is the number of client/server sessions stream5 flushed due to cache limit, session timeout, session reset.
Example:
=============================================================================== Breakdown by protocol (includes rebuilt packets): Eth: 3722347 (100.000%) VLAN: 0 ( 0.000%) IP4: 1782394 ( 47.884%) Frag: 3839 ( 0.103%) ICMP: 38860 ( 1.044%) UDP: 137162 ( 3.685%) TCP: 1619621 ( 43.511%) IP6: 1781159 ( 47.850%) IP6 Ext: 1787327 ( 48.016%) IP6 Opts: 6168 ( 0.166%) Frag6: 3839 ( 0.103%) ICMP6: 1650 ( 0.044%) UDP6: 140446 ( 3.773%) TCP6: 1619633 ( 43.511%) Teredo: 18 ( 0.000%) ICMP-IP: 0 ( 0.000%) EAPOL: 0 ( 0.000%) IP4/IP4: 0 ( 0.000%) IP4/IP6: 0 ( 0.000%) IP6/IP4: 0 ( 0.000%) IP6/IP6: 0 ( 0.000%) GRE: 202 ( 0.005%) GRE Eth: 0 ( 0.000%) GRE VLAN: 0 ( 0.000%) GRE IP4: 0 ( 0.000%) GRE IP6: 0 ( 0.000%) GRE IP6 Ext: 0 ( 0.000%) GRE PPTP: 202 ( 0.005%) GRE ARP: 0 ( 0.000%) GRE IPX: 0 ( 0.000%) GRE Loop: 0 ( 0.000%) MPLS: 0 ( 0.000%) ARP: 104840 ( 2.817%) IPX: 60 ( 0.002%) Eth Loop: 0 ( 0.000%) Eth Disc: 0 ( 0.000%) IP4 Disc: 0 ( 0.000%) IP6 Disc: 0 ( 0.000%) TCP Disc: 0 ( 0.000%) UDP Disc: 1385 ( 0.037%) ICMP Disc: 0 ( 0.000%) All Discard: 1385 ( 0.037%) Other: 57876 ( 1.555%) Bad Chk Sum: 32135 ( 0.863%) Bad TTL: 0 ( 0.000%) S5 G 1: 1494 ( 0.040%) S5 G 2: 1654 ( 0.044%) Total: 3722347 ===============================================================================
Actions, Limits, and Verdicts —————————–
Action and verdict counts show what Snort did with the packets it analyzed. This information is only output in IDS mode (when snort is run with the -c
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
