[Snort-users] (no subject)

Russell Fulton r.fulton at ...3809...
Fri Dec 12 22:17:02 EST 2003


> The network I=92m monitoring is quite big (actually it=92s huge).
> Every time works fine, until more than 32000 alerts (different IP=92s) aregenerated.
> When this happens, snort just stop probably because of an operating 
> system restriction.=20

Yes, this is a fundamental constraint of the file system (number of
files in a directory).  Simple way to work around it would be to use a
different logging format: either tcpdump, unified or log to a database.
With so many alerts you may have performance problems with logging
direct to a database.

-- 
Russell Fulton                                    /~\  The ASCII
Network Security Officer                          \ /  Ribbon Campaign
The University of Auckland                         X   Against HTML
New Zealand                                       / \  Email!






More information about the Snort-users mailing list