[Snort-users] large numbers of ICMP messages and log analysis

Dragos Ruiu dr at ...50...
Mon Aug 21 13:07:19 EDT 2000


On Mon, 21 Aug 2000, Fyodor wrote:
> 
> You probably need some flushing mechanism here too, if no messages showed
> up within certain period of time, you generate `previous ..' message and
> flush stuff. Probably need to hook SIGALRM signal and get the signal
> handler to do that.
> 

One alternative to this is to put a flag when a duplicate message is waiting
to be output, and and if the flag is set, check timestamps on the message
pending in the main packet loop.  Packets seem to come by with enough 
frequency that latency shouldn't be an issue.

-- 
dursec.com ltd. / kyx.net - we're from the future
pgp fingerprint: 18C7 E37C 2F94 E251 F18E  B7DC 2B71 A73E D2E8 A56D 
pgp key: http://www.dursec.com/drkey.asc




More information about the Snort-users mailing list