[Snort-sigs] Limiting Alert Rates? Newbie

Erek Adams erek at ...95...
Thu Aug 28 00:13:05 EDT 2003


On Wed, 27 Aug 2003, Tony Lill wrote:

[...snip...]

> Some sort of alert limiting would be nice, though.

No denial of that.  :)  I'm just not sure how high up on the 'features to
add' list that might be.  Chris?  Andrew?  Brian?

> I was recently inadvertently DOS'd by snort when it tried to log about
> 1000 alerts per minute from a host that got infected with an sql worm an
> tried to infect the rest of the internet.
>
> After 32 minutes, it blew up when it could no longer create
> directories for log files. Something about a limit of 32000 links on
> an ext3 filesystem. Not being able to open an alert file should
> probably not be a fatal error, BTW, especially if it can still log by
> other means.

It's not Snort that had the error it was the OS.  Linux dies on files over
2GB unless you've built the kernel with LARGE_FILES.  It also has a few
file system maxes (inodes, files/directories) that you can tune via
/proc.  The OS sends back a SIGTERM which Snort rightly interprets as "Oh
crap, something happened, better bail out!"

A slight side:  Logging to ASCII files is about the best way to get the
worst possible performance from Snort.  :)  On a small or slow net, this
might be acceptable, but on larger nets with high rates of traffic it's
not going to perform very well--The disk I/O eats you alive.  You may want
to consider logging to a pcap file and then post processing it onto
another box or in another location.

> I've got a patch that puts these logs in a structured tree instead of
> a flat directory. I'll submit it when I've run it a couple of days.

Sure.  Send it on over to the snort-devel list for perusal.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson




More information about the Snort-sigs mailing list