Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: preprocessor stream5_global prune_log_max 0

From: elof () sentor se
Date: Thu, 28 May 2015 12:19:00 +0200 (CEST)
On Wed, 27 May 2015, Victor Roemer wrote:

Yes, I did review changes (patches) not long ago for the logging.
I (personally) do not know when shipping is scheduled- sorry..


Thanks!



---

Noted that you're really keen for this change- have you considered deleting 
the
couple lines of code in src/preprocessors/Stream6/snort_stream_tcp.c
(search for the string "S5: Session" etc..)? It is pretty straight forward
delete of LogMessage() function calls.


Yes, I have considered it (over the year(s)) but the current workaround, 
dropping the log events in the syslog daemon, works. So my incentive to 
manage a custom-built port has been too low. :)

/Elof



On 5/27/15 10:48, elof () sentor se wrote:


Hi!

Did you check? Are the changes checked in? Roughly when is the next major 
release?

/Elof


On Fri, 27 Mar 2015, Victor Roemer wrote:


Elof, I'm aware of changes to Snort which we've added new "config:"
options to make Stream5 less noisy. I'll have to check but they should
be in the next major release.

~Victor

On 03/27/15 9:20, elof () sentor se wrote:

Will this bug ever be fixed?

See my initial report from 2 years ago, 
http://seclists.org/snort/2013/q1/952
and the proposed solution by Gregory in 
http://seclists.org/snort/2013/q1/967


I tried to mute the flood of prune-messages by setting prune_log_max to 
1073741824, but it still spam my syslog. :(

Perhaps you should review the logging mechanism? I think setting
prune_log_max to either 0 or the maximum value should disable the logging
completely.




I then tried an even higher value, to make it shut up, but then I get:

snort[64286]: FATAL ERROR: snort.conf(178) => Invalid Prune Log Max. 
Must be 0 (disabled) or between 1024 and 1073741824


So I revert back to filtering the spam in my syslog-conf instead. :-/

/Elof


------------------------------------------------------------------------------ 
Dive into the World of Parallel Programming The Go Parallel Website, 
sponsored
by Intel and developed in partnership with Slashdot Media, is your hub 
for all
things parallel software development, from weekly thought leadership 
blogs to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!



------------------------------------------------------------------------------ 
Dive into the World of Parallel Programming The Go Parallel Website, 
sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for 
all
things parallel software development, from weekly thought leadership blogs 
to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!





------------------------------------------------------------------------------
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: