[Snort-users] Snort Logs

Michael Sconzo msconzo at ...5072...
Wed Sep 17 13:21:04 EDT 2003


I am doing something like this with my setup.  I am currently using
logrotate to rotate the logs
/home/snort/alert {
    postrotate
        /usr/bin/killall -HUP snort
    endscript
}
/home/snort/portscan.log {
    compress
    postrotate
        /usr/bin/killall -HUP snort
    endscript
}

I found that it restarts with the -HUP creating a new alert file, but it
would die due to not being able to set the device in promisc mode.  So i
setuid /usr/local/bin/snort

I have been trying to think of a work around for this, but so far nothing
worth anything.  So if anybody has any suggestions on this, that would also
be nice

Thanks,
-Mike

----- Original Message ----- 
From: "Keaton, Lindamaria" <LKeaton at ...10093...>
To: "Demetri Mouratis" <dmourati at ...3877...>
Cc: <snort-users at lists.sourceforge.net>
Sent: Wednesday, September 17, 2003 1:37 PM
Subject: RE: [Snort-users] Snort Logs


> How will a new file generate? How I see this, it will kill snort but not
> restart it. Will I then have to reboot the system, in order for a new
> alert file to generate. Is that correct, or am I completely wrong?
>
> This is what I'm trying to accomplish. I want the alert file to either
> compress and move to a different directory, but then start a new alert
> file without kill snort. Is there a way to do this?
>
> -----Original Message-----
> From: Demetri Mouratis [mailto:dmourati at ...3877...]
> Sent: Wednesday, September 17, 2003 11:32 AM
> To: Keaton, Lindamaria
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Snort Logs
>
>
>
> On Wed, 17 Sep 2003, Keaton, Lindamaria wrote:
>
> > Hello,
> >
> > I'm running snort 2.0 on Linux 9.0. Does anyone know how to rotate
> > /var/log/snort/alert when it reaches certain size?
> >
> You could use logrotate with the size option for this.
>
>        "/var/log/snort/alert" {
>            rotate 30
>            size=100k
>    postrotate
> kill -HUP `pidof /usr/local/bin/snort`
>    endscript
>        }
>
> And upgrade to snort 2.0.1 while you are at it.
> ---------------------------------------------------------------------
> Demetri Mouratis
> dmourati at ...3878...
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list
>





More information about the Snort-users mailing list