Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Problems with session.log

From: Paul Schmehl <pauls () utdallas edu>
Date: Fri, 10 Sep 2004 17:24:48 -0500
I'm running snort 2.1.3 and mysqld 3.23.58 on FreeBSD 4.9-SECURITY. I've been having the following problem for a while.
/var runs out of space and the database data.MYD and data.frm files' indexes get screwed up. The /var partition is 31GB, 8.7GB of which is used by "normal" files.
Logged in as root and checking the file system with df (df -h) shows that /var is at 104%. Checking the file systems with du (du -h /var) shows /var at 40%. This indicates that a filehandle is not being released or some sort of scratch file exists that is constantly growing.
By stopping processes one at a time and monitoring the filesystem with df, I determined that the cause of the problem was related to snort. Using fstat (fstat | grep var | sort -r -n -k 8 | head) I identified the inode of the file that was causing the problem. Then using find (find /var -inum "{inodenum}" I was able to identify the file as the session.log.
I'm wondering if anyone else has had a similar problem. I'm also wondering what the cause might be. I'm using newsyslog.conf to turn the session.log file over daily, and syslogd *should* be hupping the process when it does that, so I'm not sure what might be causing the problem. I do not have the same problem with either snort.log.{nums} or the alert.log, so syslogd is obviously hupping snort after turning them over. Since the session log is configured exactly the same way, I'm having a hard time believing that the process isn't being hupped when it is turned over. 

This is the portion of newsyslog.conf that deals with snort logs.

/var/log/snort/portscan.log             600  7     *    $D0   Z
/var/log/snort/scan.log                 600  7     *    $D0   Z
/var/log/snort/alert                    600  7     *    $D0   Z
/var/log/snort/session.log              600  7     *    $D0   Z
/var/log/snort/blocked.log.*            600  7     *    $D0   ZG
/var/log/snort/snort.log.*              600  7     *    $D0   ZG
Any suggestions are welcomed. In the meantime, I've disabled session logging. 

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu


-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php 
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: