[Snort-users] Problems with session.log

Paul Schmehl pauls at ...6838...
Fri Sep 10 15:35:43 EDT 2004


I'm running snort 2.1.3 and mysqld 3.23.58 on FreeBSD 4.9-SECURITY. I've 
been having the following problem for a while.

/var runs out of space and the database data.MYD and data.frm files' 
indexes get screwed up.  The /var partition is 31GB, 8.7GB of which is used 
by "normal" files.

Logged in as root and checking the file system with df (df -h) shows that 
/var is at 104%.  Checking the file systems with du (du -h /var) shows /var 
at 40%.  This indicates that a filehandle is not being released or some 
sort of scratch file exists that is constantly growing.

By stopping processes one at a time and monitoring the filesystem with df, 
I determined that the cause of the problem was related to snort.  Using 
fstat (fstat | grep var | sort -r -n -k 8 | head) I identified the inode of 
the file that was causing the problem.  Then using find (find /var -inum 
"{inodenum}" I was able to identify the file as the session.log.

I'm wondering if anyone else has had a similar problem.  I'm also wondering 
what the cause might be.  I'm using newsyslog.conf to turn the session.log 
file over daily, and syslogd *should* be hupping the process when it does 
that, so I'm not sure what might be causing the problem.  I do not have the 
same problem with either snort.log.{nums} or the alert.log, so syslogd is 
obviously hupping snort after turning them over.  Since the session log is 
configured exactly the same way, I'm having a hard time believing that the 
process isn't being hupped when it is turned over.

This is the portion of newsyslog.conf that deals with snort logs.

/var/log/snort/portscan.log             600  7     *    $D0   Z
/var/log/snort/scan.log                 600  7     *    $D0   Z
/var/log/snort/alert                    600  7     *    $D0   Z
/var/log/snort/session.log              600  7     *    $D0   Z
/var/log/snort/blocked.log.*            600  7     *    $D0   ZG
/var/log/snort/snort.log.*              600  7     *    $D0   ZG

Any suggestions are welcomed.  In the meantime, I've disabled session 
logging.

Paul Schmehl (pauls at ...6838...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu




More information about the Snort-users mailing list