[Snort-users] -l parameter

John Creegan jcreegan at ...9729...
Tue Dec 9 09:20:03 EST 2003


Check out the "find" command.  It's usually something like:

find DIRNAME -atime +x -exec rm {} \;

DIRNAME is the starting directory.  This find command will traverse the
tree downward.  For experimentation, I'd replace the "rm" command with
the "ls" command so that you can obtain a list of what objects this
command grabs.  "atime is access time.  + is "this many or more", x is
units measured in days.

>>> <adam_peterson at ...10608...> 12/09/03 11:07AM >>>
I see your point.  I'll have to think about it because I do backup the
db 
every night but I run the risk of missing an attack like the slammer
worm 
if I can't write to the db.

My next question is, how do I manage those files?  I don't know of a
good 
way to remove aged files as there is in the db with ACID.  Does anyone

know of a command in Solaris that would allow me to delete files and a

directory structure if they're older than x hours/days?

>From: "Michael Steele" <michaels at ...9077...>
>To: "'Snort Users List'" <snort-users at lists.sourceforge.net>
>Subject: RE: [Snort-users] -l parameter
>Date: Mon, 8 Dec 2003 20:04:04 -0800
>
>
>Adam,
>
>You just placed all your marbles into one pot. If you loose your
database
>you loose it all. At least with the log you could populate the
database 
if
>it got corrupted,
>
>I don't suggest anyone do this, especially in a production
environment. 
If
>you don't have enough room for the log file, then get a few more megs
of
>storage space.
>
>Kindest regards,
>
>The WINSNORT.com Management Team


Adam Peterson | Senior WAN Engineer | SPL WorldGroup | 
adam_peterson at ...10608... | +1.415.357.4787


This message (including any attachments) contains confidential 
information intended for a specific individual and purpose, 
and is protected by law.  If you are not the intended recipient,
you should delete this message and are hereby notified that any 
disclosure,copying, or distribution of this message, or the taking 
of any action based on it, is strictly prohibited.





More information about the Snort-users mailing list