Snort mailing list archives

Previous By Date Next
Previous By Thread Next

big flood of broadcast packages crashed snort

From: Ulrich Hochholdinger <hochhold () fzi de>
Date: Wed, 11 Sep 2002 15:59:29 +0200
Hi,
Last night I had the problem, that a really heavy network broadcast
crashed snort (running out of Memory and disk-space)
The Packages were nearly the same, 
(expamle:)
------
04:20:34.068012 0:2:b3:61:68:36 ff:ff:ff:ff:ff:ff 0800 60:12.252.160.142.1412 >
 141.21.4.0.1080: R [tcp sum ok] 0:0(0) ack 1 win 0 (DF) (ttl 105, id 1839, len 40)
------
Only the content and the length of the packages was different. 
Since there had been about 1700 packages/second and snort started to log 
all these packages it crashed the whole machine after about one hour
attack.

So my question is, is there a possibility to log only the first 1000
packages and then for example only count the packages of this type, so I
can see when this attack stopped.

Btw. Snort is running on a Debian-testing system, snort(deb)version is:
1.8.7-4

Gruss
        Ulli
-- 
\ Ulli Hochholdinger                               E-Mail: hochhold () fzi de \
/ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ /
\ Sometimes I think the surest sign that intelligent life exists elsewhere \
/ in the universe is that none of it has tried to contact us. (Calvin)     /


-------------------------------------------------------
In remembrance
www.osdn.com/911/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: