Re: Ext3 File System "Too many files" with snort

[jmerkey]

> On Fri, Jul 09, 2004 at 04:36:14PM +0000, jmerkey@xxxxxxxxxxx wrote:
> 
>  > > Do you create a subdirectory for every user?  
>  > Yes.  Snort creates a subdirectory for each IP address identified as 
> generation an attack
>  > or alert.  This number can get very large, BTW.
> 
> The last time I looked at snort it created a tcpdump capture file of the
> days activity.  I remember seeing the behaviour you describe in an earlier
> release, so either you have an old version (which you should probably
> update given snort's sketchy security hole history), 

This is the lastest 2.1.3 version they are posting.  

or theres a configuration
> option that you might be able to fiddle with to get it to work in capture-file
> mode.
> 

not using capture file mode for this instantiation.  Sooner or later EXT(whatever) should
handle more than 32000 files in a single directory.   I will submit a patch to Andi and 
Andreas to review with this change.  May make some sense.  Since most folks install Linux 
on a clean system and really are not doing a lot of cross compatible FS swapping of 
hard drives, it really should be low impact if a system uses on-disk structures that 
are larger, provided they are not downgrading their system to an older kernel.  Using a
different partition type may be the easiest way to do this without casuing breakage across
linux kernels and EXT versions.

Jeff

> Either way, it's got to be easier than hacking ext3 code 8)
> 
> 		Dave
> 
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/