[Snort-users] ICMP Source Quench

Ofir Arkin ofir at ...949...
Wed Aug 28 06:25:26 EDT 2002


The HPUX is only an example of observing this type of message in the
wild.
It is usually very rare to see this kind of messages.

Thanks for the additional info.

Cheers,
Ofir Arkin [ofir at ...949...]
Founder
The Sys-Security Group
http://www.sys-security.com
PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA  

-----Original Message-----
From: Chris Keladis [mailto:Chris.Keladis at ...6400...] 
Sent: 28 August 2002 14:15
To: 'snort-users-request at lists.sourceforge.net'
Cc: Ofir Arkin; 'McCammon, Keith'; 'Wirth, Jeff'; 'Sergei Balyakin'
Subject: Re: [Snort-users] ICMP Source Quench

Ofir Arkin wrote:

> With the next example an HP Open View system, based on HPUX B.11.0
operating system is probing the 
> 172.18.2.x network in order to discover the network topology. Since
this operation was done without 
> any rate limiting of the sending of packets, at a certain point the
HPUX machine has reached the point 
> it is no longer able to process some incoming packets. Here is one of
the ICMP Source Quench error 
> messages it sent:

Just to add some additional information w.r.t HP/UX.

HP/UX prior to 11.x has a bug (it's documented in itrc somewhere) where 
due to some design issue (i forgot the details off the top of my head) 
caused it to generate quite a number of ICMP Source Quench's.

I remember Snort going nuts reporting Source Quench's, before i got our 
guys to install the patches, and i've hardly seen one since.

There are patches for all supported versions of HP/UX, and i beleive 
this is fixed in HP/UX 11.x (i vaguely remember it had something do with

the streams driver).

Email me privately and i can dig up specifics if required..




Cheers,

Chris.






More information about the Snort-users mailing list