Snort mailing list archives

RE: Filesize limit exceeded

From: counter.spy () gmx de
Date: Wed, 1 May 2002 10:16:55 +0200 (MEST)

Kris,

I'm running snort while logging to a mysql database (ACID):

output database: alert, mysql, user=user password=pass dbname=snort
host=localhost

I changed the 'alert' from 'log' to get portscan data, and now I'm getting
Filesie limit exceeeded errors from the size of my /var/log/snort
directory.  Is there a way to montinor portscans from ACID without logging
to /var/log/snort?


have you tried logging to /dev/null? ;)
e.g. if you want to throw away your locally stored portscans file 
change
preprocessor portscan: 0.0.0.0/0 5 3 portscan.log
to
preprocessor portscan: 0.0.0.0/0 5 3 /dev/null

but I wouldn't do that, because I like to tail -f on the portscan file in
order to view portscans in near-realtime.

If you want to throw away all of the log files specify 
-l /dev/null
on the command line

I haven't tried this but I think it could do exactly what you asked for.

I'm running Linux 2.4.17.

<Thank you.

Hopefully someday, I'll be answering more questions rather than asking
them.


NP, let me know if it works for you :)

<-Kris

Greetings,
Detmar



-- 
GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net

Current thread:

Filesize limit exceeded krista l merrill (Apr 30)
- <Possible follow-ups>
- RE: Filesize limit exceeded counter . spy (May 01)
  - RE: Filesize limit exceeded Erek Adams (May 01)