[Snort-users] snort just stop when more 32000 alerts (different IPs) aregenerated

Jerry Shenk jshenk at ...514...
Sun Dec 21 19:18:01 EST 2003

I can tell  you that snort itself doesn't automatically stop when it
hit's 32000 alerts.  I have a network where they got welchia or some
variant and snort didn't stop.  I wouldn't even thing 32000 directories
would be a problem (assuming linux or another unix variant).  This
network would have had that some number of directories.  This particular
snort sensor is running Snort/MySQL/ACID so perhaps we're logging things
a bit differently but it's not a snort issue.

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of
maguiler at ...10756...
Sent: Friday, December 12, 2003 7:33 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] snort just stop when more 32000 alerts (different
IPs) aregenerated


The network I'm monitoring is quite big (actually it's huge). Every time
works fine, until more than 32000 alerts (different IP's) aregenerated.
When this happens, snort just stop probably because of an operating

This happens, in my networks, about every 20-30 minutes, and the
error is about the impossibility of creating more directories within the
snort logging directories. Of course after the directory is cleaned
(restore to zero contents) everything runs fine for a while until 32000
different IP alerts aregenerated again. 

Could you help me, I mean any clue about now to work around the problem?
Any one with the same problem to resolve? Is it a common compliant? Mave
you plans to overcome this limitation?

Thank you!

Meilys AM

This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for
Free Linux Tutorials.  Learn everything from the bash shell to sys
Click now! http://ads.osdn.com/?ad_id78&alloc_id371&op,ick
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list