[Snort-users] Snort dies after a few days.

Shane Williams shanew at ...5387...
Mon Mar 25 12:14:32 EST 2002


On Mon, 25 Mar 2002, Bill McCarty wrote:

> My Snort dies when a binary log file reaches a bit over 2 GB. I thought RHL 
> 7.2 and the 2.4 kernel allowed files to exceed this limit, but apparently 
> not. I'll check further when I get the version of Snort that I just 
> compiled to properly generate alerts <grin>.

This is a "bug" in the libpcap RPM that comes with RH 7.2.  I reported
this issue to RH last week as I was having the same problem with
tcpdump.

I recompiled libpcap from source using the following defines in the
Makefile and everything works fine:
-D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE

For more info on large file support, see
http://www.suse.de/~aj/linux_lfs.html

-- 
Public key #7BBC68D9 at            |                 Shane Williams
http://pgp.mit.edu/                |                               
=----------------------------------+-------------------------------
All syllogisms contain three lines |              shanew at ...5387...
Therefore this is not a syllogism  |   www.gslis.utexas.edu/~shanew





More information about the Snort-users mailing list