[Snort-devel] Snort logging with a large # of IPs

Rick Ernst snort-devel at ...582...
Mon Aug 6 14:03:23 EDT 2001



I'm currently testing Snort at the edge of a network running about 40Mbs.
Snort has been dumping with the following error once a large number (~30,000)
of IPs have been logged:
snort: FATALERROR: ERROR: 
 OpenLogFile() =>mkdir(/var/log/snort/211.217.75.219) log directory: Too many links

I've tweaked log.c to change the logging from a flat a.b.c.d/* directory to 
a/b/c/a.b.c.d/*.  This limits each branch of the directory tree to 256 entries.

I've attached a patch that implements this with v1.8p1.  I've never used diff to
generate a patch before, so hope this does the trick.  This is on FreeBSD 4.3,
so access() might need to be changed to stat() and rindex() might need to be
changed to strrchr() for other platforms.

Hope this helps others.

Rick


-------------- next part --------------
--- log.c	Mon Aug  6 10:46:34 2001
+++ log.c.old	Tue Jul 10 02:47:17 2001
@@ -44,16 +44,12 @@
  */
 int OpenLogFile(int mode, Packet * p)
 {
-
-    char *hptr;		      /* manipulate the log path for hashing */
     char log_path[STD_BUF+1]; /* path to log file */
-    char log_hash[STD_BUF+1]; /* Temporary to store directory hash */
     char log_file[STD_BUF+1]; /* name of log file */
     char proto[5];      /* logged packet protocol */
 
     /* zero out our buffers */
     bzero((char *) log_path, STD_BUF + 1);
-    bzero((char *) log_hash, STD_BUF + 1);
     bzero((char *) log_file, STD_BUF + 1);
     bzero((char *) proto, 5);
 
@@ -134,35 +130,6 @@
 #endif
 
     /* build the log directory */
-
-    /* hash directory 3-levels deep on first 3 octets */
-    
-    sprintf(log_hash,log_path);		/* Take current path */
-    hptr=rindex(log_hash,'.');		/* Find the last octet */
-    *hptr='\0';				/* and lop it off */
-    while((hptr=index(log_hash,'.')))	/* Convert remaining dots*/
-     *hptr='/';				/* to slashes */
-    strcat(log_hash,rindex(log_path,'/')); /* Add the original directory */
-    strcpy(log_path,log_hash);		/* Replace log_path with hashed path */
-
-    /* Walk new path and create parent directories as needed */
-    hptr=index(&log_hash[1],'/');
-    while(hptr && *hptr && access(log_path,F_OK)!=0)
-      {
-      *hptr='\0';		/* Temporarily truncate path */
-      if(access(log_hash,F_OK)!=0)
-        {
-        if(mkdir(log_hash,S_IRWXU | S_IRWXG | S_IROTH | S_IXOTH) &&
-           errno != EEXIST)
-          {
-          FatalError("ERROR: OpenLogFile() => mkdir(%s) log directory: %s\n", log_path, strerror(errno));
-          }
-        }
-      *(hptr++)='/';		/* Restore path */
-      hptr=index(hptr,'/');	/* Go to next directory level */
-      }
-
-
     if(mkdir(log_path, S_IRWXU | S_IRWXG | S_IROTH | S_IXOTH))
     {
 


More information about the Snort-devel mailing list