In need of assistance
-
Hey!
Thanks for stopping by... I greatly appreciate it! I have made a change and I am not entirely sure how to adjust it back... This seems a bit silly, but I was expanding the alert section out to 4000 and accidentally hit that extra 0 like a bone head. I know I know you're probably over there thinking why does this guy need 4000 logs? Well because I was filtering to see how many times the same IP showed up. Within snort I have accidentally input the value of 40000 into the alerts log section and I can no longer load to the alerts page without it crashing. I know I could start over and this would probably fix everything or I could roll back to a latest config. I have a backup of the firewall, but it's from a week ago and I know that doesn't seem long ago, but I have added a lot of rules to my snort rules like A LOT. Could someone please help with getting this adjust back to a lower number? Any help would be greatly appreciated!
Thanks in advance!
-
You have two options for fixing this. You can either delete the current alerts log file, or you will need to manually edit the
config.xml
file on the firewall to reset the value.The much safer option, unless you are very familiar with editing XML files, is to simply delete the existing alert log. To do this, stop Snort on the interface using the GUI controls. At a shell prompt on the firewall, navigate to the
/var/log/snort/snort_xxxx
subdirectory (wherexxxx
is the physical interface name combined with a UUID random number). In the directory, delete thealert
file. You can now return to the GUI, open the ALERTS tab, and then reset the value. Once you've reset the value, start Snort on the interface again. -
@bmeeks Thank you kindly! :)