Snort mailing list archives
RE: Disable local logging
From: "Frank Reid" <fcreid () ourcorner org>
Date: Wed, 12 Dec 2001 09:25:04 -0500
Okay, just saw it again and confirmed Snort stops logging locally as well, even though the process appears to be very alive. Here's the version info, but I think it's the current from CVS: -*> Snort! <*- Version 1.8.3 (Build 88) By Martin Roesch (roesch () sourcefire com, www.snort.org) I've got three other identically-configured sensors (hardware and software), but it only happens on this one. Probably not coincidentally, this sensor is the highest volume of the four (by far), logging around 200,000 alerts/day. Would Barnyard even make a difference, given that it stops logging locally at the same time? Frank -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Frank Reid Sent: Tuesday, December 11, 2001 5:09 PM To: Martin Roesch; snort-users () lists sourceforge net Subject: RE: [Snort-users] Disable local logging Thanks, Marty. I'm tracking the SNORT_1_8 branch in CVS. (I saw updates to plugbase.c today, if that points you in the right direction.) Please let me know if that's not where I should be to get the latest and greatest. As far as the setup, the sensors run on P-III 850MHz with 256MB RAM (Dell 350). It's a multi-NIC box, with eth1 the promiscuous interface (0.0.0.0). RH 7.2 with 2.4.9-13 kernel libpcap 0.6.2-9 (RH RPM) mysql-devel-3.23.46-1 (Rawhide RPM) Running under demarc for the past few days, using commandline "-o -q -i eth1" with all default rule sets from CVS (some minor exclusions) and no portscan preprocessor. There are no errors in either the syslog or demarcd.log to indicate that upstream reporting to the database stops. I'm now watching to verify whether Snort continues to log locally when this occurs, i.e. whether the problem is just with the database plug-in and not Snort, in general. Frank -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Martin Roesch Sent: Tuesday, December 11, 2001 2:08 PM To: snort-users () lists sourceforge net Subject: Re: [Snort-users] Disable local logging What version of Snort are you using? This sounds like a bug that cropped up in 1.8.1. Can you read the BUGS file and get back to us with the info that we need? -Marty Frank Reid wrote:
Is there a way to disable local logging (to /var/log/snort) entirely, or does that break normal operations? (It may be something simple in snort.conf, but I can't find it.) On my active sensors, I've found the
log
directory fills up quickly to a point where Snort can no longer add directory entries. It may be unrelated, but it also appears Snort occasionally stops reporting upstream to the MySQL database under heavy traffic volume. The Snort process doesn't die on the sensor, so the
demarc
wrapper does not know to restart it. Frank _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Martin Roesch - President, Sourcefire Inc. - (410)552-6999 roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Bug in classification.config parsing? Poppi, Sandro (Dec 11)
- Disable local logging Frank Reid (Dec 11)
- Re: Disable local logging Guillaume (Dec 11)
- Re: Disable local logging Erek Adams (Dec 11)
- RE: Disable local logging Frank Reid (Dec 11)
- Re: Disable local logging Martin Roesch (Dec 11)
- RE: Disable local logging Frank Reid (Dec 11)
- RE: Disable local logging Frank Reid (Dec 12)
- RE: Disable local logging Frank Reid (Dec 13)
- Re: Disable local logging Martin Roesch (Dec 13)
- RE: Disable local logging Frank Reid (Dec 13)
- Disable local logging Frank Reid (Dec 11)
- RE: Disable local logging Frank Reid (Dec 11)