HUGE Snort logs (possibly NFS)

To: Debian Users <debian-user@lists.debian.org>
Subject: HUGE Snort logs (possibly NFS)
From: Balazs Javor <jb3@freemail.hu>
Date: Sat, 13 Jul 2002 19:46:11 +0200
Message-id: <[🔎] 20020713174611.GA2978@zhadum.bjavor.com>
Mail-followup-to: Debian Users <debian-user@lists.debian.org>

Hi,

I've noticed this by chance as suddenly exim would not send
messages due to a full var partition...

After investigating I've found that the /var/log/snort
directory contained two files of about 700MB and 500MB
called snort-0713@0625.log etc.
Except for the the other files with similar names are only
a few thousand bytes long...

Recent entries in the alert file in the same directory are of
the types of:
MISC Large UDP Packet
192.168.1.2:2049 -> 192.168.1.5:800

and
BAD TRAFFIC bad frag bits
192.168.1.2 -> 192.168.1.5

I've recently started experimenting with mounting drives through NFS.
The dates for the two big files coincide with these occasions.
(Allthough if tha last bit of the file name is the time of the day,
then 6:25 in the morning does not seem right. Unless this is the time
ar which the file has been opened...)

I have both scandetd and snort (surprise) running on my server.
At both occasions I've got a lot of port scan warnings from scandetd.
Allthough I haven't got any of the bad fragment messages before...

So here are my questions:
Am I correct to assume that this is NFS related?
Why the huge log file?
Is something wrong with my NFS setup?
How to convice scandetd to ignore NFS?
How to avoid snort complaints and huge logs filling up var?

Many thanks for your help ion advance!
brgds,
Balazs


-- 
To UNSUBSCRIBE, email to debian-user-request@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Prev by Date: etherconf or ifupdown problem with subnets
Next by Date: Re: X-newbie question
Previous by thread: etherconf or ifupdown problem with subnets
Next by thread: Debian, woody and KDE
Index(es):
- Date
- Thread