Snort mailing list archives
Re: snort just stop when more 32000 alerts (different IPs) aregenerated
From: "J-H. Johansen" <corinth () online no>
Date: Mon, 22 Dec 2003 10:27:06 +0100
Jerry Shenk wrote:
I can tell you that snort itself doesn't automatically stop when it hit's 32000 alerts. I have a network where they got welchia or some variant and snort didn't stop. I wouldn't even thing 32000 directories would be a problem (assuming linux or another unix variant). This network would have had that some number of directories. This particular snort sensor is running Snort/MySQL/ACID so perhaps we're logging things a bit differently but it's not a snort issue. -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of maguiler () cantv net Sent: Friday, December 12, 2003 7:33 PM To: snort-users () lists sourceforge net Subject: [Snort-users] snort just stop when more 32000 alerts (different IPs) aregenerated Hi The network I'm monitoring is quite big (actually it's huge). Every time works fine, until more than 32000 alerts (different IP's) aregenerated. When this happens, snort just stop probably because of an operating systemrestriction.This happens, in my networks, about every 20-30 minutes, and the reported error is about the impossibility of creating more directories within the snort logging directories. Of course after the directory is cleaned (restore to zero contents) everything runs fine for a while until 32000different IP alerts aregenerated again.Could you help me, I mean any clue about now to work around the problem? Any one with the same problem to resolve? Is it a common compliant? Mave you plans to overcome this limitation? Thank you! Meilys AM
Take a look at how many inodes you have available on your system. If you have a large amount of files/directories on your server they could be an explanation.
jens:H ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort just stop when more 32000 alerts (different IPs) aregenerated maguiler () cantv net (Dec 12)
- Re: snort just stop when more 32000 alerts (different IPs) aregenerated twig les (Dec 12)
- <Possible follow-ups>
- snort just stop when more 32000 alerts (different IPs) aregenerated maguiler () cantv net (Dec 15)
- RE: snort just stop when more 32000 alerts (different IPs) aregenerated Jerry Shenk (Dec 21)
- Turning off signatures Jeff Kell (Dec 21)
- Re: Turning off signatures twig les (Dec 21)
- Re: snort just stop when more 32000 alerts (different IPs) aregenerated J-H. Johansen (Dec 22)
- RE: snort just stop when more 32000 alerts (different IPs) aregenerated Jerry Shenk (Dec 21)