[Oisf-users] suricata filling disk space

Satish Patel satish.txt at gmail.com
Fri Dec 4 03:50:35 UTC 2015 

Epic!! This is what i was looking... Let me give it a shot.

On Thu, Dec 3, 2015 at 4:23 AM, Javier Nieto <jnietotn at gmail.com> wrote:

> Hi,
>
> I think that setting thresholds could help you in this case scenario... Take
> a look at /etc/suricata/threshold.config
>
>
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/rule-thresholding
>
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Global-Thresholds
>
> Regards
> --
> Javier Nieto
>
> On Thu, Dec 3, 2015 at 9:35 AM Christophe Vandeplas <
> christophe at vandeplas.com> wrote:
>
>> Patel,
>>
>> It will probably not be a satisfying answer, as it does not prevent your
>> disk to fill up, but I would do the following:
>> - configure logrotate to rotate and compress your logs when a certain
>> filesize is reached.  This will allow you to store up to 10 times the
>> volume of logs thanks to the compression.
>> - configure your monitoring tool to alert you when your disk reaches 70
>> or 80% of usage. In combination with the logrotate you might even get
>> multiple alerts as you will probably reach that point multiple times before
>> logrotate kicks in and gives you extra storage again. In any case
>> monitoring important systems are crucial, so if you're not yet monitoring
>> it, please do. !!
>>
>> - worst-case you can configure logrotate to remove old logfiles after X
>> entries. However I prefer to remove them upon age to prevent loosing
>> important info.
>>
>> This way you keep your logs, which might be interesting for further
>> investigation, but you also limit and controm further damage.
>>
>> Kind regards
>> Christophe
>>
>>
>> On 3 December 2015 at 05:35, Satish Patel <satish.txt at gmail.com> wrote:
>>
>>> Hello,
>>>
>>> I am running suricata-2.0.9 but suddenly yesterday we got DDoS and i
>>> found with in 10 min suricata fill 10G disk space in /var/log.  many many
>>> unitifed alert files.
>>>
>>> How do i optimize configuration to not fill disk and reduce logging if
>>> there is a DDoS.
>>>
>>> _______________________________________________
>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>> Site: http://suricata-ids.org | Support:
>>> http://suricata-ids.org/support/
>>> List:
>>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>> Suricata User Conference November 4 & 5 in Barcelona:
>>> http://oisfevents.net
>>>
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> Suricata User Conference November 4 & 5 in Barcelona:
>> http://oisfevents.net
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20151203/7c8a4a1c/attachment-0002.html>

More information about the Oisf-users mailing list