Snort mailing list archives
Re: question
From: Erek Adams <erek () snort org>
Date: Wed, 5 Mar 2003 13:18:45 -0500 (EST)
On Wed, 5 Mar 2003, Jose Ramon Hernandez Macias wrote: [...snip...]
The first thing I´d like to know is: I´m using snort and mysql to log all alerts but anyways snort is logging to /var/log/snort/scan.log and the file is getting bigger everyday. I would like to know if that file is gonna rotate at some size or if there´s a way to stop the logging to that file and just leave the mysql log process.
Nope. No sort of log rotation built into Snort unless you are using the unified output. And even that doesn't deal with the scan.log file--It's generated by the portscan2 preprocessor. If you don't want the log, just disable the ps2 preprocessor in your snort.conf. Other than that, I'd suggest a cron job that does something like "cp scan.log scan.log.old && cp /dev/null scan.log" for rotation purposes.
The second question is: I would like to know if there´s a guide or steps I could follow to upgrade snort?. I´ve read a lot of people are having problems to do the upgrade to the new 1.9.1 version. I´m not a pro with snort/linux so I wouldn´t want to screw up everything I´ve done in a production enviroment. In the meantime I disabled RPC preprocessor but I think it is important to get it working as soon as posible, that´s wahy I´d like to upgrade snort but I don´t know where to start, I installed it from a .tar.gz file so I don´t know if I need to uninstall it somehow or just download the new one and untar it overwriting the old one.
As for an upgrade, it's pretty simple. You only have one binary to worry about (snort), one config file (snort.conf), and the rules. My steps to upgrade (I grab CVS every afternoon) are: * Build snort. * cp <wherever>/snort <wherever>/snort.old * make install (so that you get the updated man pages as well) * Merge <snortdir>/etc/snort.conf into /etc/snort.conf. HOME_NET changes, other variables, etc.... * cp <snortdir>/rules/* /etc/snort/rules * sighup snort That's really about it.... You'll need to update the map files, but if you cp <snortdir>/rules/* to your rules dir, that will snag those as well. If you are ultra paranoid, build snort, but don't install it.... Start it from the command line and use your existing snort.conf "snort -c <wherever>/snort.conf -T". See if that throws any errors. If it does, 'fix' the errors and then upgrade. :) IOW, no, there isn't a 'how to upgrade to a new version of Snort guide.'... But if you're offering to write one... ;-) Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson ------------------------------------------------------- This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger for complex code. Debugging C/C++ programs can leave you feeling lost and disoriented. TotalView can help you find your way. Available on major UNIX and Linux platforms. Try it free. www.etnus.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- question Jose Ramon Hernandez Macias (Mar 05)
- Re: question Erek Adams (Mar 05)
- <Possible follow-ups>
- Question Corrado Federici (Mar 13)
- Question Corrado Federici (Mar 13)
- Re: Question (about Content-List) Matt Kettler (Mar 13)