[Snort-users] >2Gb capture files

Chris Green cmg at ...671...
Mon Jun 25 11:52:22 EDT 2001


"Mayers, Philip J" <p.mayers at ...1913...> writes:

> We have a rather high-traffic site, and I just had an embarrasing experience
> - the snort machine runs RedHat 7.0, and I was running it under screen, so
> that if it dumped core, I'd see the error messages (It hasn't - nice and
> stable). However, once the log file reached 2Gb, snort (or glibc) stopped
> writing... Losing us 18 days of binary packet captures (doh!)
> 
> Anyway, I have two questions:
> 
> 1) Does anyone have a good snort logrotate script?
> 2) If I upgrade the system to RedHat 7.1, will snort/libpcap suddenly be
> "ok" with such large files?

Here's a Linux rortate one that stores the logs in dated hourly directories

-------------- next part --------------
A non-text attachment was scrubbed...
Name: snort_rotate.sh
Type: application/x-sh
Size: 685 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20010625/e3d57acc/attachment.sh>
-------------- next part --------------

I have a hourly snortsnarf and a daily snortsnarf as well as a
pcapmerge run daily to concat all the binary log files. -A fast -b is
the logging method.
-- 
Chris Green <cmg at ...671...>
You now have 14 minutes to reach minimum safe distance.


More information about the Snort-users mailing list