Menu
▾
▴
[Os-sim-support] Snort Unified
|
From: Jon U. <jur...@ya...> - 2008-05-13 12:07:25
|
Hi all,
We have snort (with pf_ring) logging in unified format, analizyng a link at about 50 Mbps. The output line is:
"output unified: filename snort, limit 128"
At this rate, a file (128 MB) is generated every minute or two. My first question is... Is this normal? There has been a snort config depuration and the alert rate is not very high, so even if the whole packets (generating alerts) are logged, it is a very big amount!! The error should be here... What's your opinion about this??
We have an instance of ossim-agent with snortunified plugin, here the config:
"[config]
type=detector
enable=yes
source=snortlog
process=snort
start=no; launch plugin process when agent starts
stop=no; shutdown plugin process when agent stops
startup=/etc/init.d/%(process)s start
shutdown=/etc/init.d/%(process)s stop
directory=/var/log/snort/
prefix=snort
linklayer=ethernet
"
But there is no snort event logged into the server. How can I assure that ossim-agent is reading the unified files? lsof does not say anything (no open files). Is it going to be fast enough to read that amount of data??
How can the agent's unified parser be aware of the rotation of this files (snort logs)? I need to rotate them periodically (disk space is not infinite...) and I need to know how much of the agents work is done!!
Please help!! Regards,
Jon
______________________________________________
Enviado desde Correo Yahoo! La bandeja de entrada más inteligente. |
