Snort mailing list archives

Previous By Date Next
Previous By Thread Next

(no subject)

From: Russell Fulton <r.fulton () auckland ac nz>
Date: Sat, 13 Dec 2003 19:14:53 +1300
The network I=92m monitoring is quite big (actually it=92s huge).
Every time works fine, until more than 32000 alerts (different IP=92s) aregenerated.
When this happens, snort just stop probably because of an operating 
system restriction.=20


Yes, this is a fundamental constraint of the file system (number of
files in a directory).  Simple way to work around it would be to use a
different logging format: either tcpdump, unified or log to a database.
With so many alerts you may have performance problems with logging
direct to a database.

-- 
Russell Fulton                                    /~\  The ASCII
Network Security Officer                          \ /  Ribbon Campaign
The University of Auckland                         X   Against HTML
New Zealand                                       / \  Email!




-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: