[Snort-users] snort just stop when more 32000 alerts (different IPs) aregenerated

J-H. Johansen corinth at ...4741...
Mon Dec 22 01:28:02 EST 2003

Jerry Shenk wrote:
> I can tell  you that snort itself doesn't automatically stop when it
> hit's 32000 alerts.  I have a network where they got welchia or some
> variant and snort didn't stop.  I wouldn't even thing 32000 directories
> would be a problem (assuming linux or another unix variant).  This
> network would have had that some number of directories.  This particular
> snort sensor is running Snort/MySQL/ACID so perhaps we're logging things
> a bit differently but it's not a snort issue.
> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of
> maguiler at ...10756...
> Sent: Friday, December 12, 2003 7:33 PM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] snort just stop when more 32000 alerts (different
> IPs) aregenerated
> Hi
> The network I'm monitoring is quite big (actually it's huge). Every time
> works fine, until more than 32000 alerts (different IP's) aregenerated.
> When this happens, snort just stop probably because of an operating
> system
> restriction. 
> This happens, in my networks, about every 20-30 minutes, and the
> reported
> error is about the impossibility of creating more directories within the
> snort logging directories. Of course after the directory is cleaned
> (restore to zero contents) everything runs fine for a while until 32000
> different IP alerts aregenerated again. 
> Could you help me, I mean any clue about now to work around the problem?
> Any one with the same problem to resolve? Is it a common compliant? Mave
> you plans to overcome this limitation?
> Thank you!
> Meilys AM

Take a look at how many inodes you have available on your system. If you 
have a large amount of files/directories on your server they could be an 


More information about the Snort-users mailing list