Rotating '-b' logs without stopping snort? (0% data loss...)

[Dave Cinege <dcinege () psychosis com>]

I'm creating a distributed 'total system', in which 
snort will reside on several satellite hosts.

The idea is to have snort log '-b' (tcpdump binary) on the
hosts and then transfer these to a master host that will
dump the logs in to normal verbose directory format.

The desire is for the data to be kept as synced as
possible with the master host. (IE within a few minutes)

Problem: 
If I am constantly restarting snort, I will miss packet data inbetween
the stop time.

I have tried to 'slide' the snort.log file, by `sync,cp,:>` (truncate)
praying buffering would always work to my advantage. However
it's leaving me with corrupted log files.

How can I resolve this? If I need to do some recoding of snort I can, though
KISS is best. (I was thinking maybe sending a signal to the
process to pause file writing and buffer util getting another signal
to resume writing)

Any suggestions appreciated.

FYI At this point SQL is too expensive, though maybe not in the long run.

Dave

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users