[Snort-users] large numbers of ICMP messages and log analysis
twhipp at ...63...
Mon Aug 21 06:46:19 EDT 2000
over the weekend I managed to crash my snort host during automated log
processing (using snort-snarf). It turns out that somebody had been sending
a steady stream of ICMP echos to my primary nameserver (logs indicate around
350,000) over a 24 hour period.
When snort-snarf came to run there was over 200MB or data to process, which
exhausted the physical and virtual memory of the host. I suspect that
snort-snarf uses a seriously non-linear amount of memory (I haven't checked
yet but the correlations in the output would seem to suggest this) which
doesn't matter for most routine logs but that's another story.
In the meantime all I can think of to do is to ignore all ICMP traffic -
which doesn't make me very happy.
Would it make sense for snort to adopt a syslog approach to log entries (and
print messages such as previous packet repeated 10,000 times?) for instances
such as this it could save quite a lot of hassle (and provided that the
payloads where compared no data would be lost). I haven't looked at the
architecture yet but could this be done by a pre-processor (I suspect not as
it would need to know the last alert generated) - could this effectively be
an addition to the logging modules (perhaps one that supports loading of
another logging module).
Or am I just being wussy? should I accept that sometimes I will get a
mountain of alerts and have to modify my rule base to trim the verbosity
back in future? I don't know I'm new to this...
I know that I shouldn't be running the log analysis on the IDS host but I
don't have anywhere else to put it right now.
More information about the Snort-users