[Snort-users] Problems with session.log

Paul Schmehl pauls at ...6838...
Fri Sep 10 15:35:43 EDT 2004

I'm running snort 2.1.3 and mysqld 3.23.58 on FreeBSD 4.9-SECURITY. I've 
been having the following problem for a while.

/var runs out of space and the database data.MYD and data.frm files' 
indexes get screwed up.  The /var partition is 31GB, 8.7GB of which is used 
by "normal" files.

Logged in as root and checking the file system with df (df -h) shows that 
/var is at 104%.  Checking the file systems with du (du -h /var) shows /var 
at 40%.  This indicates that a filehandle is not being released or some 
sort of scratch file exists that is constantly growing.

By stopping processes one at a time and monitoring the filesystem with df, 
I determined that the cause of the problem was related to snort.  Using 
fstat (fstat | grep var | sort -r -n -k 8 | head) I identified the inode of 
the file that was causing the problem.  Then using find (find /var -inum 
"{inodenum}" I was able to identify the file as the session.log.

I'm wondering if anyone else has had a similar problem.  I'm also wondering 
what the cause might be.  I'm using newsyslog.conf to turn the session.log 
file over daily, and syslogd *should* be hupping the process when it does 
that, so I'm not sure what might be causing the problem.  I do not have the 
same problem with either snort.log.{nums} or the alert.log, so syslogd is 
obviously hupping snort after turning them over.  Since the session log is 
configured exactly the same way, I'm having a hard time believing that the 
process isn't being hupped when it is turned over.

This is the portion of newsyslog.conf that deals with snort logs.

/var/log/snort/portscan.log             600  7     *    $D0   Z
/var/log/snort/scan.log                 600  7     *    $D0   Z
/var/log/snort/alert                    600  7     *    $D0   Z
/var/log/snort/session.log              600  7     *    $D0   Z
/var/log/snort/blocked.log.*            600  7     *    $D0   ZG
/var/log/snort/snort.log.*              600  7     *    $D0   ZG

Any suggestions are welcomed.  In the meantime, I've disabled session 

Paul Schmehl (pauls at ...6838...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member

More information about the Snort-users mailing list