[Snort-users] Filesize limit exceeded

counter.spy at ...348... counter.spy at ...348...
Wed May 1 01:53:02 EDT 2002


Kris,

>I'm running snort while logging to a mysql database (ACID):
>
>output database: alert, mysql, user=user password=pass dbname=snort
>host=localhost
>
>I changed the 'alert' from 'log' to get portscan data, and now I'm getting
>Filesie limit exceeeded errors from the size of my /var/log/snort
>directory.  Is there a way to montinor portscans from ACID without logging
>to /var/log/snort?

have you tried logging to /dev/null? ;)
e.g. if you want to throw away your locally stored portscans file 
change
preprocessor portscan: 0.0.0.0/0 5 3 portscan.log
to
preprocessor portscan: 0.0.0.0/0 5 3 /dev/null

but I wouldn't do that, because I like to tail -f on the portscan file in
order to view portscans in near-realtime.

If you want to throw away all of the log files specify 
-l /dev/null
on the command line

I haven't tried this but I think it could do exactly what you asked for. 

>I'm running Linux 2.4.17.
>
<Thank you.
>Hopefully someday, I'll be answering more questions rather than asking
>them.

NP, let me know if it works for you :)

<-Kris

Greetings,
Detmar



-- 
GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net





More information about the Snort-users mailing list