[Snort-users] >2Gb capture files

Mayers, Philip J p.mayers at ...1913...
Mon Jun 25 05:59:46 EDT 2001


We have a rather high-traffic site, and I just had an embarrasing experience
- the snort machine runs RedHat 7.0, and I was running it under screen, so
that if it dumped core, I'd see the error messages (It hasn't - nice and
stable). However, once the log file reached 2Gb, snort (or glibc) stopped
writing... Losing us 18 days of binary packet captures (doh!)

Anyway, I have two questions:

1) Does anyone have a good snort logrotate script?
2) If I upgrade the system to RedHat 7.1, will snort/libpcap suddenly be
"ok" with such large files?

Regards,
Phil

+----------------------------------+
| Phil Mayers, Network Support     |
| Centre for Computing Services    |
| Imperial College                 |
+----------------------------------+




More information about the Snort-users mailing list