[Snort-users] Snort Stopped

___cliff rayman___ cliff at ...1366...
Wed Apr 18 20:42:53 EDT 2001


whoops.  my mistake.  its not inodes in a filesystem.
it is entries in a directory.  inodes in a filesystem are
usually tunable when the filesystem is made.  the
entries in a single directory are fixed for some reason.

some programs that attempt to use filesystems as a database
sometimes create hierarchical directory entries to get around
this problem.  if snort used this technique, then it would
attempt to create something like:

/var/log/snort/62/31/228/xxx

the number of individual ip addresses in the current ipv4 range,
are way more than 32,000, but using the technique above, no directory
would ever get be requested to add more than 255 entries.

hope this clears up my previous FUD.

___cliff rayman___ wrote:

> you are using too many inodes in your file system.  basically,
> you have too many individual files and there are not enough
> inode entities available to store the metadata in.  i think the max
> on linux is 32,000, which is the max for a virtual file system.
>
> make a new fs just for snort so it will not overflow.
>
> this is the danger of using the fs as a database.  i like to do it
> also, but i am keeping my eye on a similar problem for another
> application.
>
> hth,
> --
> ___cliff rayman___cliff at ...1367...://www.genwax.com/
>
> Daniel Paul Hart wrote:
>
> >
> > Hi there, I have been successfully running Snort in Daemon mode for about a week until today.When it just stopped with this message :  snort: ERROR: OpenLogFile() => mkdir(/var/log/snort/62.31.228.xxx) log directory: Too many links   Can someone help me diagnose this?  Cheers, Dan Hart
> > _________________________________________________
> > IncrediMail - Email has finally evolved - Click Here

--
___cliff rayman___cliff at ...1367...://www.genwax.com/






More information about the Snort-users mailing list