[Snort-users] Snort Logs

John Creegan jcreegan at ...9729...
Thu Sep 18 07:25:06 EDT 2003

I'm running snort 2.0.1 with the -z option.  As I understand it, this
allows snort to better track state to defeat stick attacks.  I'm worried
that when I send the HUP signal to snort it'll lose track.

>On Thursday around 08:15 Michael Sconzo wrote:
>I am doing something like this with my setup.  I am currently using
>logrotate to rotate the logs
>/home/snort/alert {
>    postrotate
>        /usr/bin/killall -HUP snort
>    endscript
>/home/snort/portscan.log {
>    compress
>    postrotate
>        /usr/bin/killall -HUP snort
>    endscript
>I found that it restarts with the -HUP creating a new alert file, but
>would die due to not being able to set the device in promisc mode.  So
>setuid /usr/local/bin/snort
>I have been trying to think of a work around for this, but so far
>worth anything.  So if anybody has any suggestions on this, that would
>be nice
>----- Original Message ----- 
>From: "Keaton, Lindamaria" <LKeaton at ...10093...>
>To: "Demetri Mouratis" <dmourati at ...3877...>
>Cc: <snort-users at lists.sourceforge.net>
>Sent: Wednesday, September 17, 2003 1:37 PM
>Subject: RE: [Snort-users] Snort Logs
>> How will a new file generate? How I see this, it will kill snort but
>> restart it. Will I then have to reboot the system, in order for a
>> alert file to generate. Is that correct, or am I completely wrong?
>> This is what I'm trying to accomplish. I want the alert file to
>> compress and move to a different directory, but then start a new
>> file without kill snort. Is there a way to do this?
>> -----Original Message-----
>> From: Demetri Mouratis [mailto:dmourati at ...3877...] 
>> Sent: Wednesday, September 17, 2003 11:32 AM
>> To: Keaton, Lindamaria
>> Cc: snort-users at lists.sourceforge.net 
>> Subject: Re: [Snort-users] Snort Logs
>> On Wed, 17 Sep 2003, Keaton, Lindamaria wrote:
>> > Hello,
>> >
>> > I'm running snort 2.0 on Linux 9.0. Does anyone know how to
>> > /var/log/snort/alert when it reaches certain size?
>> >
>> You could use logrotate with the size option for this.
>>        "/var/log/snort/alert" {
>>            rotate 30
>>            size=100k
>>    postrotate
>> kill -HUP `pidof /usr/local/bin/snort`
>>    endscript
>>        }
>> And upgrade to snort 2.0.1 while you are at it.
>> Demetri Mouratisv

This message (including any attachments) contains confidential 
information intended for a specific individual and purpose, 
and is protected by law.  If you are not the intended recipient,
you should delete this message and are hereby notified that any 
disclosure,copying, or distribution of this message, or the taking 
of any action based on it, is strictly prohibited.

More information about the Snort-users mailing list