Snort mailing list archives

Re: question

From: Erek Adams <erek () snort org>
Date: Wed, 5 Mar 2003 13:18:45 -0500 (EST)

On Wed, 5 Mar 2003, Jose Ramon Hernandez Macias wrote:

[...snip...]

The first thing I´d like to know is:
I´m using snort and mysql to log all alerts but anyways snort is logging to
/var/log/snort/scan.log and the file
is getting bigger everyday. I would like to know if that file is gonna
rotate at some size or if there´s a way to stop the
logging to that file and just leave the mysql log process.


Nope.  No sort of log rotation built into Snort unless you are using the
unified output.  And even that doesn't deal with the scan.log file--It's
generated by the portscan2 preprocessor.

If you don't want the log, just disable the ps2 preprocessor in your
snort.conf.  Other than that, I'd suggest a cron job that does something
like "cp scan.log scan.log.old && cp /dev/null scan.log" for rotation
purposes.

The second question is:
I would like to know if there´s a guide or steps I could follow to upgrade
snort?. I´ve read a lot of people are
having problems to do the upgrade to the new 1.9.1 version. I´m not a pro
with snort/linux so I wouldn´t  want to screw up
everything I´ve done in a production enviroment. In the meantime I disabled
RPC preprocessor but I think it is
important to get it working as soon as posible, that´s wahy I´d like to
upgrade snort but I don´t know where to start,
I installed it from a .tar.gz file so I don´t know if I need to uninstall
it somehow or just download the new one and
untar it overwriting the old one.


As for an upgrade, it's pretty simple.  You only have one binary to worry
about (snort), one config file (snort.conf), and the rules.  My steps to
upgrade (I grab CVS every afternoon) are:

        *  Build snort.
        *  cp <wherever>/snort <wherever>/snort.old
        *  make install  (so that you get the updated man pages as well)
        *  Merge <snortdir>/etc/snort.conf into /etc/snort.conf.  HOME_NET
changes, other variables, etc....
        *  cp <snortdir>/rules/* /etc/snort/rules
        *  sighup snort

That's really about it....  You'll need to update the map files, but if
you cp <snortdir>/rules/* to your rules dir, that will snag those as well.

If you are ultra paranoid, build snort, but don't install it....  Start it
from the command line and use your existing snort.conf "snort -c
<wherever>/snort.conf -T".  See if that throws any errors.  If it does,
'fix' the errors and then upgrade.  :)

IOW, no, there isn't a 'how to upgrade to a new version of Snort
guide.'...  But if you're offering to write one...  ;-)

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger
for complex code. Debugging C/C++ programs can leave you feeling lost and
disoriented. TotalView can help you find your way. Available on major UNIX
and Linux platforms. Try it free. www.etnus.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

question Jose Ramon Hernandez Macias (Mar 05)
- Re: question Erek Adams (Mar 05)
- <Possible follow-ups>
- Question Corrado Federici (Mar 13)
- Question Corrado Federici (Mar 13)
  - Re: Question (about Content-List) Matt Kettler (Mar 13)