[Snort-users] Am I missing something ?
neil at ...1633...
Thu Apr 5 10:56:04 EDT 2001
François Desarmenien <francois at ...1754...> wrote:
>The last test we tried was a "simple" ping flood,
>which filled the alert and packet log at a so incredible
>rate (+- 10Mbytes/15 s not including packet dumps) that
>it makes ping floods on snort the easiest way to DOS it !
I did something with similar effect using the "response"
capability of Snort. There was a domain which had been
scanning us, and complaints to the ISP seemed to have
increased the scanning rather than causing it to be stopped.
I therefore decided to try a response ( rst_all ) as a means
of locking them out, and the result was a packet storm that
caused Snort to stuff the filesystem I was using for my alert
files. The rate was something like Francois describes, and
it would not have taken more than 3 or 4 minutes to fill the
150 meg filesystem I was then using.
So, use the "response" capability with some care.
Neil Dickey, Ph.D.
Northern Illinois University
More information about the Snort-users