[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

HUGE Snort logs (possibly NFS)


I've noticed this by chance as suddenly exim would not send
messages due to a full var partition...

After investigating I've found that the /var/log/snort
directory contained two files of about 700MB and 500MB
called snort-0713@0625.log etc.
Except for the the other files with similar names are only
a few thousand bytes long...

Recent entries in the alert file in the same directory are of
the types of:
MISC Large UDP Packet ->

BAD TRAFFIC bad frag bits ->

I've recently started experimenting with mounting drives through NFS.
The dates for the two big files coincide with these occasions.
(Allthough if tha last bit of the file name is the time of the day,
then 6:25 in the morning does not seem right. Unless this is the time
ar which the file has been opened...)

I have both scandetd and snort (surprise) running on my server.
At both occasions I've got a lot of port scan warnings from scandetd.
Allthough I haven't got any of the bad fragment messages before...

So here are my questions:
Am I correct to assume that this is NFS related?
Why the huge log file?
Is something wrong with my NFS setup?
How to convice scandetd to ignore NFS?
How to avoid snort complaints and huge logs filling up var?

Many thanks for your help ion advance!

To UNSUBSCRIBE, email to debian-user-request@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: