[Snort-users] Problems with session.log
This is a discussion on [Snort-users] Problems with session.log within the Snort forums, part of the System Security and Security Related category; I'm running snort 2.1.3 and mysqld 3.23.58 on FreeBSD 4.9-SECURITY. I've been ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
09-11-2004
|
|||
|
|||
[Snort-users] Problems with session.log
I'm running snort 2.1.3 and mysqld 3.23.58 on FreeBSD 4.9-SECURITY. I've
been having the following problem for a while. /var runs out of space and the database data.MYD and data.frm files' indexes get screwed up. The /var partition is 31GB, 8.7GB of which is used by "normal" files. Logged in as root and checking the file system with df (df -h) shows that /var is at 104%. Checking the file systems with du (du -h /var) shows /var at 40%. This indicates that a filehandle is not being released or some sort of scratch file exists that is constantly growing. By stopping processes one at a time and monitoring the filesystem with df, I determined that the cause of the problem was related to snort. Using fstat (fstat | grep var | sort -r -n -k 8 | head) I identified the inode of the file that was causing the problem. Then using find (find /var -inum "{inodenum}" I was able to identify the file as the session.log. I'm wondering if anyone else has had a similar problem. I'm also wondering what the cause might be. I'm using newsyslog.conf to turn the session.log file over daily, and syslogd *should* be hupping the process when it does that, so I'm not sure what might be causing the problem. I do not have the same problem with either snort.log.{nums} or the alert.log, so syslogd is obviously hupping snort after turning them over. Since the session log is configured exactly the same way, I'm having a hard time believing that the process isn't being hupped when it is turned over. This is the portion of newsyslog.conf that deals with snort logs. /var/log/snort/portscan.log 600 7 * $D0 Z /var/log/snort/scan.log 600 7 * $D0 Z /var/log/snort/alert 600 7 * $D0 Z /var/log/snort/session.log 600 7 * $D0 Z /var/log/snort/blocked.log.* 600 7 * $D0 ZG /var/log/snort/snort.log.* 600 7 * $D0 ZG Any suggestions are welcomed. In the meantime, I've disabled session logging. Paul Schmehl (pauls@utdallas.edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ------------------------------------------------------- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
