Snort - log is not automatically cleared when the limit exceeded

slu

Is this a known issue?

snort security 4.1.5_2

bmeeks

I'm not aware of an open bug report for that issue. A check is made during the execution of the rules update task. Here is the applicable code section:

/* See if we need to automatically clear the Update Log based on 1024K size limit */
if (file_exists(SNORT_RULES_UPD_LOGFILE)) {
	if (1048576 < filesize(SNORT_RULES_UPD_LOGFILE))
		unlink_if_exists("{SNORT_RULES_UPD_LOGFILE}");
}

Looking at that code with a fresh head, it may actually be better to truncate the file instead of unlinking it. I'll put a note on my internal bug list to make this part of the code more robust.

In the meantime, simply use the Clear Log button to manually erase the file. You don't want it to get too large as then the system will throw PHP memory errors when it tries to load and display a very large text file.

slu

@bmeeks said in Snort - log is not automatically cleared when the limit exceeded:

Looking at that code with a fresh head, it may actually be better to truncate the file instead of unlinking it. I'll put a note on my internal bug list to make this part of the code more robust.

That sounds good.

In the meantime, simply use the Clear Log button to manually erase the file. You don't want it to get too large as then the system will throw PHP memory errors when it tries to load and display a very large text file.

Delete the log with the Clear Log button for the moment, thanks for the hint.
Another system show "Logfile Size 3.22 MiB".

slu

@bmeeks
see the commit [1], thank you.

[1] https://github.com/pfsense/FreeBSD-ports/commit/b48f7bee696c7b9a3ad811b8a85f4aa3dfeb9a22