Snort mailing list archives
Problems with session.log
From: Paul Schmehl <pauls () utdallas edu>
Date: Fri, 10 Sep 2004 17:24:48 -0500
I'm running snort 2.1.3 and mysqld 3.23.58 on FreeBSD 4.9-SECURITY. I've been having the following problem for a while.
/var runs out of space and the database data.MYD and data.frm files' indexes get screwed up. The /var partition is 31GB, 8.7GB of which is used by "normal" files.
Logged in as root and checking the file system with df (df -h) shows that /var is at 104%. Checking the file systems with du (du -h /var) shows /var at 40%. This indicates that a filehandle is not being released or some sort of scratch file exists that is constantly growing.
By stopping processes one at a time and monitoring the filesystem with df, I determined that the cause of the problem was related to snort. Using fstat (fstat | grep var | sort -r -n -k 8 | head) I identified the inode of the file that was causing the problem. Then using find (find /var -inum "{inodenum}" I was able to identify the file as the session.log.
I'm wondering if anyone else has had a similar problem. I'm also wondering what the cause might be. I'm using newsyslog.conf to turn the session.log file over daily, and syslogd *should* be hupping the process when it does that, so I'm not sure what might be causing the problem. I do not have the same problem with either snort.log.{nums} or the alert.log, so syslogd is obviously hupping snort after turning them over. Since the session log is configured exactly the same way, I'm having a hard time believing that the process isn't being hupped when it is turned over.
This is the portion of newsyslog.conf that deals with snort logs. /var/log/snort/portscan.log 600 7 * $D0 Z /var/log/snort/scan.log 600 7 * $D0 Z /var/log/snort/alert 600 7 * $D0 Z /var/log/snort/session.log 600 7 * $D0 Z /var/log/snort/blocked.log.* 600 7 * $D0 ZG /var/log/snort/snort.log.* 600 7 * $D0 ZGAny suggestions are welcomed. In the meantime, I've disabled session logging.
Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ------------------------------------------------------- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement onwho ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Problems with session.log Paul Schmehl (Sep 10)