[Snort-users] Snort log file size is getting huge

Maged Shenouda maged67 at ...125...
Tue Jul 23 11:18:40 EDT 2013


I am sorry, but the local.rules file was active with the following rules, that's why I got hit with everything
 
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"tcp traffic inbound"; classtype:tcp-connection; sid:1; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"tcp traffic outbound"; classtype:tcp-connection; sid:2; rev:1;)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ip traffic inbound"; classtype:unknown; sid:3; rev:1;)
alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"ip traffic outbound"; classtype:unknown; sid:4; rev:1;)
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"udp traffic inbound"; classtype:misc-activity; sid:5; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"udp traffic outbound"; classtype:misc-activity; sid:6; rev:1;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"icmp traffic inbound"; classtype:icmp-event; sid:7; rev:1;)
alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"icmp traffic outbound"; classtype:icmp-event; sid:8; rev:1;)
 
but even though, shouldn't it be limited to 128 mb accorfing to the snort.conf?
 

 
From: maged67 at ...125...
To: snort-users at lists.sourceforge.net
Date: Tue, 23 Jul 2013 11:10:55 -0400
Subject: [Snort-users] Snort log file size is getting huge




I finally was able to make snort logging work but it is getting huge within 5-10 minutes?
The snort.conf file is set as follow
 
output unified2: filename snort.log, limit 128
 
but the file size is continuing to grow, it doesn't stop at the 128 mb? what is wrong with it? Is that normal?
 
shouldn't it record only suspecious alerts and not everything?
 
here is the running process
 
ps aux | grep -i "snort"

snort    16992  5.8  1.3 594500 221484 ?       Ssl  10:38   0:07 /usr/local/bin/snort -A full -b -d -D -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort

root     16998  0.2  0.1 146428 22416 ?        Ss   10:38   0:00 /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -G /etc/snort/gen-msg.map -S /etc/snort/sid-msg.map -d /var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo -D
root     17005  0.0  0.0   4404   728 pts/0    S+   10:40   0:00 grep -i snort
 
I even tried the snort without the -A & without -b but same result

Please help
 		 	   		  

------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news! 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130723/b3b292ec/attachment.html>


More information about the Snort-users mailing list