Issue 582: NSM: only run "broctl cron" if Bro is enabled
This should avoid the situation described here:
Issue 581: NSM: avoid filling disk if CRIT_DISK_USAGE exceeded in one day
We still have occasional reports of disks filling up with pcaps. I've addressed this in 3 ways:
1. sensor-clean used to run every 5 minutes, but has been changed to run *every* minute.
2. sensor-clean no longer ignores pcaps from the current day. If all previous days have been removed, then it will go into the current day's directory and remove pcaps one at a time until EITHER disk is no longer critical OR there are no pcaps remaining.
3. If sensor-clean determines that there are no pcaps remaining to purge but disk is still critical, then it will stop netsniff-ng.
This new package has been tested by David Zawdie (thanks!).
The new package is now available in our stable repo. Please see the following page for full update instructions:
If you have any questions or problems, please use our security-onion mailing list:
$400 off the new 3-day Security Onion class in Richmond VA!
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
We especially need help in answering support questions on the mailing list:
We also need help testing new packages: