[Snort-users] silly ICMP question

Geoff the UNIX guy galitz at ...247...
Fri Aug 4 04:45:44 EDT 2000


So there was some discussion some time back about having
snort report multiple ICMP and related type alerts once
rather than the alert being generated by each packet.  Did
anything come of that?

The reason I ask (other than wanting to see that feature
myself) is that it occurred to me that the portscan preprocessor
plugin thingy already has that functionality.  That plugin already
tracks certain types of traffic coming from a single host to many hosts
and reports the duration and rate of the scan.  How reusable is
that code (for ICMP DDoS alerts)?

Or perhaps this was all resolved while I was away... comments?

-geoff


---------------------------------------------------
Geoff Galitz, galitz at ...247...
Research Computing
College of Chemistry, UC Berkeley
---------------------------------------------------
     The laws of physics can be a harsh mistress...
        - Bender







More information about the Snort-users mailing list