[Snort-users] (no subject)
r.fulton at ...3809...
Fri Dec 12 22:17:02 EST 2003
> The network I=92m monitoring is quite big (actually it=92s huge).
> Every time works fine, until more than 32000 alerts (different IP=92s) aregenerated.
> When this happens, snort just stop probably because of an operating
> system restriction.=20
Yes, this is a fundamental constraint of the file system (number of
files in a directory). Simple way to work around it would be to use a
different logging format: either tcpdump, unified or log to a database.
With so many alerts you may have performance problems with logging
direct to a database.
Russell Fulton /~\ The ASCII
Network Security Officer \ / Ribbon Campaign
The University of Auckland X Against HTML
New Zealand / \ Email!
More information about the Snort-users