[Snort-users] snort just stop when more 32000 alerts (different IPs) aregenerated
jshenk at ...514...
Sun Dec 21 19:18:01 EST 2003
I can tell you that snort itself doesn't automatically stop when it
hit's 32000 alerts. I have a network where they got welchia or some
variant and snort didn't stop. I wouldn't even thing 32000 directories
would be a problem (assuming linux or another unix variant). This
network would have had that some number of directories. This particular
snort sensor is running Snort/MySQL/ACID so perhaps we're logging things
a bit differently but it's not a snort issue.
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of
maguiler at ...10756...
Sent: Friday, December 12, 2003 7:33 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] snort just stop when more 32000 alerts (different
The network I'm monitoring is quite big (actually it's huge). Every time
works fine, until more than 32000 alerts (different IP's) aregenerated.
When this happens, snort just stop probably because of an operating
This happens, in my networks, about every 20-30 minutes, and the
error is about the impossibility of creating more directories within the
snort logging directories. Of course after the directory is cleaned
(restore to zero contents) everything runs fine for a while until 32000
different IP alerts aregenerated again.
Could you help me, I mean any clue about now to work around the problem?
Any one with the same problem to resolve? Is it a common compliant? Mave
you plans to overcome this limitation?
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills. Sign up for
Free Linux Tutorials. Learn everything from the bash shell to sys
Click now! http://ads.osdn.com/?ad_id78&alloc_id371&op,ick
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:
More information about the Snort-users