[Snort-users] Am I missing something ?
roesch at ...421...
Fri Apr 6 23:55:41 EDT 2001
Hey, we provide the capability, we don't recommend that you actually use
Neil Dickey wrote:
> François Desarmenien <francois at ...1754...> wrote:
> >The last test we tried was a "simple" ping flood,
> >which filled the alert and packet log at a so incredible
> >rate (+- 10Mbytes/15 s not including packet dumps) that
> >it makes ping floods on snort the easiest way to DOS it !
> I did something with similar effect using the "response"
> capability of Snort. There was a domain which had been
> scanning us, and complaints to the ISP seemed to have
> increased the scanning rather than causing it to be stopped.
> I therefore decided to try a response ( rst_all ) as a means
> of locking them out, and the result was a packet storm that
> caused Snort to stuff the filesystem I was using for my alert
> files. The rate was something like Francois describes, and
> it would not have taken more than 3 or 4 minutes to fill the
> 150 meg filesystem I was then using.
> So, use the "response" capability with some care.
> Best regards,
> Neil Dickey, Ph.D.
> Research Associate/Sysop
> Geology Department
> Northern Illinois University
> DeKalb, Illinois
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users