[Snort-devel] Snort full log files need heirarchy

Bit Stream bitstream01 at ...445...
Fri Mar 22 05:53:07 EST 2002


In working with Snort, I've found that when running in full log mode, that 
having one directory per IP address doesn't scale well.  While I recognize 
the argument that a well tuned IDS shouldn't go off very often, there are a 
few cases where attack patterns will create a large number of victim IP 
addresses in a short period of time.  When this occurs, the logdir suddenly 
contains scores and scores of directories.  This is a practical problem for 
things that want to stat the directory (like ls), it also creates unsolvable 
problems if the number of directories exceeds the 32k limit.

I'd propose that for the next version of snort, that you create a
directory heirarchy.  Where IP 1.2.3.4 becomes $LOGDIR/1/2/3/4/ when snort 
is running in full log mode.  This would solve a lot of problems by limiting 
the total number of directories in any directory to 255.  Perhaps it is 
problematic performance wise, but real performance oriented people shouldn't 
be running in full log mode in real-time anyway.

This has some significant impacts on support programs such as snortsnarf, 
but that should be solvable.  I was thinking it would also be neat if snort 
provided a library for doing the filename lookup so that every script didn't 
have to reinvent the path to the details log file, but that's much less 
important to me.

Thanks,

Eric

_________________________________________________________________
MSN Photos is the easiest way to share and print your photos: 
http://photos.msn.com/support/worldwide.aspx





More information about the Snort-devel mailing list