Snort mailing list archives
Frequent binary log rotation data lose
From: Dave Cinege <dcinege () psychosis com>
Date: Tue, 31 Jul 2001 00:30:54 -0400
Working on a distributed system blah blah archived post here: http://archives.neohapsis.com/archives/snort/2001-07/0623.html The goal is have snort write to a pipe and have an intermediate program read the pipe and rotate out logs so snort is never stopped and data is never lost. However as I work up to doing this I'm just stopping snort, rotating the logs, and starting snort at 1 minute intervals The problem: When the server gets the log file and processes it, no data is dumped when rules are applied. If I snort -dvr (no rules) I can see the output. If we let snort run a signifigant amount of time, we will see data properly dumped. I've come to the concusion that snort is getting stopped before fully commiting all data to disk, or more specificity in the *middle* of an attack. Thus when the log gets processed back at the server we never see output because we rarely ever get complete output. **Corrections please** if this does not sound right to you... I have yet to take the time to actually read the snort logging source to see exactly how it's being buffered, etc. I need to know how to remedy this problem. My first guess is that this tobemade pipe reading program could buffer and commit to disk only on 'attack boundaries'. However I have no idea how to determine this. Also I would think snort would ALREADY work this way. (So am I doing something else wrong?) Dave _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Frequent binary log rotation data lose Dave Cinege (Jul 30)