[Snort-users] Removing Snort Alert Files

Jack Pepper pepperjack at ...14319...
Wed Aug 26 11:28:52 EDT 2009


Quoting Richard Lichvar <rlichvar at ...14639...>:

> As some of you have seen from others of my posts, we have a large number
> of zero-length Snort alert files (apparently because the systems being
> protected are so isolated ). What is the advisability of removing these
> alert files? We have literally hundreds of them. Is there a particular
> process that should be used or will a simple rm be okay?

Everyone has their own religion regarding log retention.  Here is a  
little snippet to get you started on building your own.  Obviously you  
need to modify it to work with your environment:

# Days to retain old files:
GARBAGECOLLECTION=30
ARCHIVELIFE=180
DATE=`date --date=yesterday +%Y.%m.%d`

#locations
SNORTDIR=/var/log/snort
ARCHIVE=${SNORTDIR}/archive
TCPDUMP="${SNORTDIR}/snort.tcpd
ALERT=${SNORTDIR}/alert

# Clean up Snortdir
find ${SNORTDIR} -mtime +${GARBAGECOLLECTION} -type f -maxdepth 1  
-exec rm {} \;
# Clean up the archive:
find ${ARCHIVE} -mtime +${ARCHIVELIFE} -type f -maxdepth 1 -exec rm {} \;

if [ -d $ARCHIVE ]; then
    tar --remove-files -czf ${ARCHIVE}/alerts.${DATE}.tgz $ALERT ${TCPDUMP}*
fi



-- 

Framework?  I don't need no stinking framework!

----------------------------------------------------------------
@fferent Security Labs:  Isolate/Insulate/Innovate  
http://www.afferentsecurity.com





More information about the Snort-users mailing list