Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Removing Snort Alert Files

From: Jack Pepper <pepperjack () afferentsecurity com>
Date: Wed, 26 Aug 2009 10:28:52 -0500
Quoting Richard Lichvar <rlichvar () sainc com>:


As some of you have seen from others of my posts, we have a large number
of zero-length Snort alert files (apparently because the systems being
protected are so isolated ). What is the advisability of removing these
alert files? We have literally hundreds of them. Is there a particular
process that should be used or will a simple rm be okay?


Everyone has their own religion regarding log retention.  Here is a  
little snippet to get you started on building your own.  Obviously you  
need to modify it to work with your environment:

# Days to retain old files:
GARBAGECOLLECTION=30
ARCHIVELIFE=180
DATE=`date --date=yesterday +%Y.%m.%d`

#locations
SNORTDIR=/var/log/snort
ARCHIVE=${SNORTDIR}/archive
TCPDUMP="${SNORTDIR}/snort.tcpd
ALERT=${SNORTDIR}/alert

# Clean up Snortdir
find ${SNORTDIR} -mtime +${GARBAGECOLLECTION} -type f -maxdepth 1  
-exec rm {} \;
# Clean up the archive:
find ${ARCHIVE} -mtime +${ARCHIVELIFE} -type f -maxdepth 1 -exec rm {} \;

if [ -d $ARCHIVE ]; then
    tar --remove-files -czf ${ARCHIVE}/alerts.${DATE}.tgz $ALERT ${TCPDUMP}*
fi



-- 

Framework?  I don't need no stinking framework!

----------------------------------------------------------------
@fferent Security Labs:  Isolate/Insulate/Innovate  
http://www.afferentsecurity.com


------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with 
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: