Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: 2GB limit on alert log

From: "Keith W. McCammon" <mccammon () gmail com>
Date: Wed, 21 Jul 2004 15:32:31 -0400
Has anyone found a good procedure for getting past the 2GB
limit on snorts alert log?

Before anyone suggests this, the problem is not a
filesystem imposed limit.  On the same fs, I have other
apps dumping 20-50GB files daily.


OK.  My curiosity is getting the better of me.  Why on earth would you
want a 50GB flat file full of logs?  Presumably, at some point, you
have to move this into a database, otherwise any type of meaningful
analysis and/or follow-up is not possible, without modifying the
original log, which is not possible :)


My logs easily grow to this size within a week and minimal
logging enabled so I have to find a way around this and
putting in more sensors is not an option.  I have several
heavily populated /17's behind this sensor and that is not
going to change.


What do you do with these files all week?  How do you analyze and
manage alerts?  Again, this is strictly curiosity.
 

MySQL is not an option either.  I kicked that beeotch to
the curb some time ago.  Flat files, shell scripts and
snortalog are the only sensible way to go for me.  : - )


This is great, if all you ever want are reports.  I'm all for using
something like SnortALog for an overview.  But on the flip side, I'd
want to have some actual analysis going on.  If your network is as
large as you indicate, and you have a need for countless GB of logs
every day, then it would seem to me that you have some pretty serious
security concerns.  Thus, you probably have a need for some type of
analysis (read: you need to be doing something with all those logs
aside from just collecting them).

Last time: I'm sorry for not offering a solution.  I don't know of
one.  I'm just very interested in your methodology, if you don't mind
indulging me (us).

Cheers

Keith


-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: