Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: unifed2 log

From: Eugenio Pérez via Snort-devel <snort-devel () lists snort org>
Date: Thu, 22 Mar 2018 16:24:13 +0100
Hi, Ron H, sorry for the late response.

I did a patch some years ago that makes snort don't rotate when writing U2
packet type records. The base version of the patch is outdated 2.9.8.3, but
it shouldn't be too complicated to update that.

As I show in patch doc, this breaks the U2 hard limit so that files could
grow beyond the limit. That was not a problem in my case, but it could be
for yours.

Maybe a better solution could be to modify the spooler to accept the break,
but that was not the path I took.

I hope it helps, regards!

2018-03-08 14:51 GMT+01:00 Ron H via Snort-devel <
snort-devel () lists snort org>:


Hello Snort-devel,

We use Unifed2 packets logging to log our snort rules. Unifed2 log rotates
every X MB size by definition.
Our system, convert this unifed2 log to Pcap file by SigID and send him to
offline IDS.

The problem with Unifed2 logs can cut in the middle the sessions before
ended because the logrotate size.
we interesting to reduce this issue.

We would like to know, How we can resolve this issue?
One of our solution we thinking is writing log unifed2/Pcap by SigID, It
can be possible?

Thanks!




<http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail> 
Virus-free.
www.avg.com
<http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
<#m_-3803235937643421740_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Attachment: dont_rotate_on_packets_2_9_8_3.diff
Description: 

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: