[Oisf-users] suricata filling disk space

Javier Nieto jnietotn at gmail.com
Thu Dec 3 09:23:07 UTC 2015 

Hi,

I think that setting thresholds could help you in this case scenario... Take
a look at /etc/suricata/threshold.config

https://redmine.openinfosecfoundation.org/projects/suricata/wiki/rule-thresholding
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Global-Thresholds

Regards
--
Javier Nieto

On Thu, Dec 3, 2015 at 9:35 AM Christophe Vandeplas <
christophe at vandeplas.com> wrote:

> Patel,
>
> It will probably not be a satisfying answer, as it does not prevent your
> disk to fill up, but I would do the following:
> - configure logrotate to rotate and compress your logs when a certain
> filesize is reached.  This will allow you to store up to 10 times the
> volume of logs thanks to the compression.
> - configure your monitoring tool to alert you when your disk reaches 70 or
> 80% of usage. In combination with the logrotate you might even get multiple
> alerts as you will probably reach that point multiple times before
> logrotate kicks in and gives you extra storage again. In any case
> monitoring important systems are crucial, so if you're not yet monitoring
> it, please do. !!
>
> - worst-case you can configure logrotate to remove old logfiles after X
> entries. However I prefer to remove them upon age to prevent loosing
> important info.
>
> This way you keep your logs, which might be interesting for further
> investigation, but you also limit and controm further damage.
>
> Kind regards
> Christophe
>
>
> On 3 December 2015 at 05:35, Satish Patel <satish.txt at gmail.com> wrote:
>
>> Hello,
>>
>> I am running suricata-2.0.9 but suddenly yesterday we got DDoS and i
>> found with in 10 min suricata fill 10G disk space in /var/log.  many many
>> unitifed alert files.
>>
>> How do i optimize configuration to not fill disk and reduce logging if
>> there is a DDoS.
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> Suricata User Conference November 4 & 5 in Barcelona:
>> http://oisfevents.net
>>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona:
> http://oisfevents.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20151203/bb10b00e/attachment-0002.html>

More information about the Oisf-users mailing list