[Snort-users] large numbers of ICMP messages and log analysis
dr at ...50...
Mon Aug 21 13:07:19 EDT 2000
On Mon, 21 Aug 2000, Fyodor wrote:
> You probably need some flushing mechanism here too, if no messages showed
> up within certain period of time, you generate `previous ..' message and
> flush stuff. Probably need to hook SIGALRM signal and get the signal
> handler to do that.
One alternative to this is to put a flag when a duplicate message is waiting
to be output, and and if the flag is set, check timestamps on the message
pending in the main packet loop. Packets seem to come by with enough
frequency that latency shouldn't be an issue.
dursec.com ltd. / kyx.net - we're from the future
pgp fingerprint: 18C7 E37C 2F94 E251 F18E B7DC 2B71 A73E D2E8 A56D
pgp key: http://www.dursec.com/drkey.asc
More information about the Snort-users