HUGE Snort logs (possibly NFS)
I've noticed this by chance as suddenly exim would not send
messages due to a full var partition...
After investigating I've found that the /var/log/snort
directory contained two files of about 700MB and 500MB
called email@example.com etc.
Except for the the other files with similar names are only
a few thousand bytes long...
Recent entries in the alert file in the same directory are of
the types of:
MISC Large UDP Packet
192.168.1.2:2049 -> 192.168.1.5:800
BAD TRAFFIC bad frag bits
192.168.1.2 -> 192.168.1.5
I've recently started experimenting with mounting drives through NFS.
The dates for the two big files coincide with these occasions.
(Allthough if tha last bit of the file name is the time of the day,
then 6:25 in the morning does not seem right. Unless this is the time
ar which the file has been opened...)
I have both scandetd and snort (surprise) running on my server.
At both occasions I've got a lot of port scan warnings from scandetd.
Allthough I haven't got any of the bad fragment messages before...
So here are my questions:
Am I correct to assume that this is NFS related?
Why the huge log file?
Is something wrong with my NFS setup?
How to convice scandetd to ignore NFS?
How to avoid snort complaints and huge logs filling up var?
Many thanks for your help ion advance!
To UNSUBSCRIBE, email to firstname.lastname@example.org
with a subject of "unsubscribe". Trouble? Contact email@example.com