Snort mailing list archives

Re: >2Gb capture files

From: Chris Green <cmg () uab edu>
Date: 25 Jun 2001 10:52:22 -0500

"Mayers, Philip J" <p.mayers () ic ac uk> writes:

We have a rather high-traffic site, and I just had an embarrasing experience
- the snort machine runs RedHat 7.0, and I was running it under screen, so
that if it dumped core, I'd see the error messages (It hasn't - nice and
stable). However, once the log file reached 2Gb, snort (or glibc) stopped
writing... Losing us 18 days of binary packet captures (doh!)

Anyway, I have two questions:

1) Does anyone have a good snort logrotate script?
2) If I upgrade the system to RedHat 7.1, will snort/libpcap suddenly be
"ok" with such large files?


Here's a Linux rortate one that stores the logs in dated hourly directories

Attachment: snort_rotate.sh
Description:


I have a hourly snortsnarf and a daily snortsnarf as well as a
pcapmerge run daily to concat all the binary log files. -A fast -b is
the logging method.
-- 
Chris Green <cmg () uab edu>
You now have 14 minutes to reach minimum safe distance.

Current thread:

>2Gb capture files Mayers, Philip J (Jun 25)
- Re: >2Gb capture files Kiira Triea (Jun 25)
- Re: >2Gb capture files Chris Green (Jun 25)
- <Possible follow-ups>
- Re: >2Gb capture files Matthew Collins (Jun 25)
- RE: >2Gb capture files Mayers, Philip J (Jun 26)
  - Re: >2Gb capture files Ralf Hildebrandt (Jun 26)