[Snort-users] Am I missing something ?

Martin Roesch roesch at ...421...
Fri Apr 6 23:55:41 EDT 2001


Hey, we provide the capability, we don't recommend that you actually use
it.... :)

    -Marty

Neil Dickey wrote:
> 
> François Desarmenien <francois at ...1754...> wrote:
> 
> >The last test we tried was a "simple" ping flood,
> >which filled the alert and packet log at a so incredible
> >rate (+- 10Mbytes/15 s not including packet dumps) that
> >it makes ping floods on snort the easiest way to DOS it !
> 
> I did something with similar effect using the "response"
> capability of Snort.  There was a domain which had been
> scanning us, and complaints to the ISP seemed to have
> increased the scanning rather than causing it to be stopped.
> I therefore decided to try a response ( rst_all ) as a means
> of locking them out, and the result was a packet storm that
> caused Snort to stuff the filesystem I was using for my alert
> files.  The rate was something like Francois describes, and
> it would not have taken more than 3 or 4 minutes to fill the
> 150 meg filesystem I was then using.
> 
> So, use the "response" capability with some care.
> 
> Best regards,
> 
> Neil Dickey, Ph.D.
> Research Associate/Sysop
> Geology Department
> Northern Illinois University
> DeKalb, Illinois
> 60115
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list