Re: Snort Logs

["John Creegan" <jcreegan () questarweb com>]

I'm running snort 2.0.1 with the -z option.  As I understand it, this
allows snort to better track state to defeat stick attacks.  I'm worried
that when I send the HUP signal to snort it'll lose track.

> On Thursday around 08:15 Michael Sconzo wrote:
>
> I am doing something like this with my setup.  I am currently using
> logrotate to rotate the logs
> /home/snort/alert {
>    postrotate
>        /usr/bin/killall -HUP snort
>    endscript
> }
> /home/snort/portscan.log {
>    compress
>    postrotate
>        /usr/bin/killall -HUP snort
>    endscript
> }
>
> I found that it restarts with the -HUP creating a new alert file, but
it
> would die due to not being able to set the device in promisc mode.  So
i
> setuid /usr/local/bin/snort
>
> I have been trying to think of a work around for this, but so far
nothing
> worth anything.  So if anybody has any suggestions on this, that would
also
> be nice
>
> Thanks,
> -Mike
>
> ----- Original Message ----- 
> From: "Keaton, Lindamaria" <LKeaton () unionsafe com>
> To: "Demetri Mouratis" <dmourati () cm math uiuc edu>
> Cc: <snort-users () lists sourceforge net>
> Sent: Wednesday, September 17, 2003 1:37 PM
> Subject: RE: [Snort-users] Snort Logs
>
>
> > How will a new file generate? How I see this, it will kill snort but
not
> > restart it. Will I then have to reboot the system, in order for a
new
> > alert file to generate. Is that correct, or am I completely wrong?
> >
> > This is what I'm trying to accomplish. I want the alert file to
either
> > compress and move to a different directory, but then start a new
alert
> > file without kill snort. Is there a way to do this?
> >
> > -----Original Message-----
> > From: Demetri Mouratis [mailto:dmourati () cm math uiuc edu] 
> > Sent: Wednesday, September 17, 2003 11:32 AM
> > To: Keaton, Lindamaria
> > Cc: snort-users () lists sourceforge net 
> > Subject: Re: [Snort-users] Snort Logs
> >
> >
> >
> > On Wed, 17 Sep 2003, Keaton, Lindamaria wrote:
> >
> > > Hello,
> > >
> > > I'm running snort 2.0 on Linux 9.0. Does anyone know how to
rotate
> > > /var/log/snort/alert when it reaches certain size?
> > You could use logrotate with the size option for this.
> >
> >        "/var/log/snort/alert" {
> >            rotate 30
> >            size=100k
> >    postrotate
> > kill -HUP `pidof /usr/local/bin/snort`
> >    endscript
> >        }
> >
> > And upgrade to snort 2.0.1 while you are at it.
---------------------------------------------------------------------
> > Demetri Mouratisv



This message (including any attachments) contains confidential 
information intended for a specific individual and purpose, 
and is protected by law.  If you are not the intended recipient,
you should delete this message and are hereby notified that any 
disclosure,copying, or distribution of this message, or the taking 
of any action based on it, is strictly prohibited.



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users