[Snort-users] Am I missing something ?

Neil Dickey neil at ...1633...
Thu Apr 5 10:56:04 EDT 2001


François Desarmenien <francois at ...1754...> wrote:

>The last test we tried was a "simple" ping flood,
>which filled the alert and packet log at a so incredible
>rate (+- 10Mbytes/15 s not including packet dumps) that
>it makes ping floods on snort the easiest way to DOS it !

I did something with similar effect using the "response"
capability of Snort.  There was a domain which had been
scanning us, and complaints to the ISP seemed to have
increased the scanning rather than causing it to be stopped.
I therefore decided to try a response ( rst_all ) as a means
of locking them out, and the result was a packet storm that
caused Snort to stuff the filesystem I was using for my alert
files.  The rate was something like Francois describes, and
it would not have taken more than 3 or 4 minutes to fill the
150 meg filesystem I was then using.

So, use the "response" capability with some care.

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115




More information about the Snort-users mailing list