=^.^=

Cleaning up Snort's Droppings on ClearOS

karma

In the last couple of weeks a wave of attacks has seen the snort packet logs on a client's firewall fill the disc to capacity, causing all sorts of wonderful problems. Packet logging is optional and usually only worth the trouble if you are actively trying to solve an attack or false positive, in which cases it can be added at that time. For most folks it simply provides a hindrance on performance and, if your storage is not well diversified, a hazard as we have seen with this router:

Disable packet logging by editing /etc/init.d/snort to start the daemon with the -N flag:

???  start)
        echo -n $"Starting $prog: "
        if test "x`/sbin/pidof snort`" != x; then
                failure
                echo ""
        else
                automagic
                # Add support for multiwan
                if [ -n "$EXTIF" ]; then
                                for INTERFACE in $EXTIF; do
                                                daemon snort -N -i $INTERFACE -D -c /etc/snort.conf
                                done
                else
                                daemon snort -N -D -c /etc/snort.conf
                fi
                RETVAL=$?
                echo
                [ $RETVAL -eq 0 ] && touch /var/lock/snort
        fi
        ;;

Restart snort via its init script:

# /etc/init.d/snort restart

If you take a look at the logrotate configuration file for snort at ?/etc/logrotate.d/snort you'll see:

# A bit of a kludge here - the logrotate file is empty and
# created by /etc/rc.d/init.d/snort.
/var/log/snort/logrotate {
 missingok
 postrotate
 tar -czf /var/log/snort.tar.gz /var/log/snort 2> /dev/null
 rm -rf /var/log/snort/[0-9]* /var/log/snort/snort.log.[0-9]* 2> /dev/null
 killall -HUP snort 2> /dev/null || true
 endscript
}

I'm not sure why the ClearOS people are using a "kludge" here, at best guess it seems the point is to put the snort.tar.gz archive directly under /var/log rather than in its own directory. Maybe it has to do with accommodating snort's built-in log rotation. I don't know. I don't really care.

If you're concerned about aesthetics keep the init script from creating the blank:

        # Creates a dummy file for /etc/logrotate.d/snort script
#       if [ -d /var/log/snort ]; then
#               echo "Used for logrotate... do not delete" > /var/log/snort/logrotate
#       fi

If I read that right it's saying "Used for logrotate... please delete."

# yes | rm -r /var/log/snort/*

Comments

There are no comments for this item.