Yes. Snort creates a subdirectory for each IP address identified as generation an attack
or alert. This number can get very large, BTW.
If yes, then there
> is a limit of 32000 subdirectories in a single directory for Linux.
> It is possible to bump this up to 65000 or so (include/linux/ext3_fs.h
> EXT3_LINK_MAX), but not more, because of i_nlink size limits.
I may alter the on disk structures to increase this to something larger, say 16,000,000,
which would break ext3 on other systems. I will look at the code for this to see if this is
even possible without the FS meta data growing so huge, it renders performance poor.
These types of limits should probably be done away with with an architectural change, BTW.
Food for thought for the future.
If you have
> so many entries in a single directory I'd also suggest the htree patches
> to ext3 (I can send you patches if you want) to improve performance,
> but they are not strictly required.
I'd like to review the patches, at least they may help the current situation in the interrim.
>
> If you are actually running out of inodes, then you can use "-i" or "-N"
> to mke2fs to increase the number of inodes in a new filesystem. Since
> this defaults to 1 inode per 8kB of space, it seems unlikely that you
> would run out of inodes before blocks unless you have lots of small files
> (maildir perhaps? even then "modern" emails usually average > 8kB in size
> because of HTML crap, lots of headers, attachments, etc).
I think we are running into the directory entry limitation. I have enough inodes for this
application (at least it appears so).
Thanks for the help. Sorry it took me a day to respond back. I was in West Germany
(Heinsberg) for the past month with my new German wife (she's from Stolzberg), and I
am still re-adjusting my sleep cycle back to Utah time. Wanted to visit Nurnberg and
see Suse's building -- maybe next visit.
> On Jul 08, 2004 17:51 +0000, jmerkey@xxxxxxxxxxx wrote:
> > On a Linux 2.4.21 system running snort with a very large organization
> > (30,000 +) workstations I am seeing a "too many files" mesage from ext3
> > which results in snort dying and rolling our of memory. Is there a way
> > to specifiy a larger number of inode entries dynamically when creating
> > an Ext3 file system which gets around this limitation. In theory, a file
> > system should not create a limitation on how many files it can contain,
> > but I understand that inode base FS's have this limitation.
>
> Do you create a subdirectory for every user? If yes, then there
> is a limit of 32000 subdirectories in a single directory for Linux.
> It is possible to bump this up to 65000 or so (include/linux/ext3_fs.h
> EXT3_LINK_MAX), but not more, because of i_nlink size limits. If you have
> so many entries in a single directory I'd also suggest the htree patches
> to ext3 (I can send you patches if you want) to improve performance,
> but they are not strictly required.
>
> If you are actually running out of inodes, then you can use "-i" or "-N"
> to mke2fs to increase the number of inodes in a new filesystem. Since
> this defaults to 1 inode per 8kB of space, it seems unlikely that you
> would run out of inodes before blocks unless you have lots of small files
> (maildir perhaps? even then "modern" emails usually average > 8kB in size
> because of HTML crap, lots of headers, attachments, etc).
>
> Cheers, Andreas
> --
> Andreas Dilger
>http://sourceforge.net/projects/ext2resize/
>http://members.shaw.ca/adilger/http://members.shaw.ca/golinux/
>