Snort mailing list archives
Re: Removing Snort Alert Files
From: Jack Pepper <pepperjack () afferentsecurity com>
Date: Wed, 26 Aug 2009 10:28:52 -0500
Quoting Richard Lichvar <rlichvar () sainc com>:
As some of you have seen from others of my posts, we have a large number of zero-length Snort alert files (apparently because the systems being protected are so isolated ). What is the advisability of removing these alert files? We have literally hundreds of them. Is there a particular process that should be used or will a simple rm be okay?
Everyone has their own religion regarding log retention. Here is a little snippet to get you started on building your own. Obviously you need to modify it to work with your environment: # Days to retain old files: GARBAGECOLLECTION=30 ARCHIVELIFE=180 DATE=`date --date=yesterday +%Y.%m.%d` #locations SNORTDIR=/var/log/snort ARCHIVE=${SNORTDIR}/archive TCPDUMP="${SNORTDIR}/snort.tcpd ALERT=${SNORTDIR}/alert # Clean up Snortdir find ${SNORTDIR} -mtime +${GARBAGECOLLECTION} -type f -maxdepth 1 -exec rm {} \; # Clean up the archive: find ${ARCHIVE} -mtime +${ARCHIVELIFE} -type f -maxdepth 1 -exec rm {} \; if [ -d $ARCHIVE ]; then tar --remove-files -czf ${ARCHIVE}/alerts.${DATE}.tgz $ALERT ${TCPDUMP}* fi -- Framework? I don't need no stinking framework! ---------------------------------------------------------------- @fferent Security Labs: Isolate/Insulate/Innovate http://www.afferentsecurity.com ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Removing Snort Alert Files Richard Lichvar (Aug 26)
- Re: Removing Snort Alert Files Joel Esler (Aug 26)
- Re: Removing Snort Alert Files Jack Pepper (Aug 26)