[Snort-sigs] Limiting Alert Rates? Newbie
erek at ...95...
Thu Aug 28 00:13:05 EDT 2003
On Wed, 27 Aug 2003, Tony Lill wrote:
> Some sort of alert limiting would be nice, though.
No denial of that. :) I'm just not sure how high up on the 'features to
add' list that might be. Chris? Andrew? Brian?
> I was recently inadvertently DOS'd by snort when it tried to log about
> 1000 alerts per minute from a host that got infected with an sql worm an
> tried to infect the rest of the internet.
> After 32 minutes, it blew up when it could no longer create
> directories for log files. Something about a limit of 32000 links on
> an ext3 filesystem. Not being able to open an alert file should
> probably not be a fatal error, BTW, especially if it can still log by
> other means.
It's not Snort that had the error it was the OS. Linux dies on files over
2GB unless you've built the kernel with LARGE_FILES. It also has a few
file system maxes (inodes, files/directories) that you can tune via
/proc. The OS sends back a SIGTERM which Snort rightly interprets as "Oh
crap, something happened, better bail out!"
A slight side: Logging to ASCII files is about the best way to get the
worst possible performance from Snort. :) On a small or slow net, this
might be acceptable, but on larger nets with high rates of traffic it's
not going to perform very well--The disk I/O eats you alive. You may want
to consider logging to a pcap file and then post processing it onto
another box or in another location.
> I've got a patch that puts these logs in a structured tree instead of
> a flat directory. I'll submit it when I've run it a couple of days.
Sure. Send it on over to the snort-devel list for perusal.
"When things get weird, the weird turn pro." H.S. Thompson
More information about the Snort-sigs