[Snort-users] ICMP Source Quench

Chris Keladis Chris.Keladis at ...6400...
Wed Aug 28 17:23:15 EDT 2002


Ofir Arkin wrote:

> With the next example an HP Open View system, based on HPUX B.11.0 operating system is probing the 
> 172.18.2.x network in order to discover the network topology. Since this operation was done without 
> any rate limiting of the sending of packets, at a certain point the HPUX machine has reached the point 
> it is no longer able to process some incoming packets. Here is one of the ICMP Source Quench error 
> messages it sent:

Just to add some additional information w.r.t HP/UX.

HP/UX prior to 11.x has a bug (it's documented in itrc somewhere) where 
due to some design issue (i forgot the details off the top of my head) 
caused it to generate quite a number of ICMP Source Quench's.

I remember Snort going nuts reporting Source Quench's, before i got our 
guys to install the patches, and i've hardly seen one since.

There are patches for all supported versions of HP/UX, and i beleive 
this is fixed in HP/UX 11.x (i vaguely remember it had something do with 
the streams driver).

Email me privately and i can dig up specifics if required..




Cheers,

Chris.





More information about the Snort-users mailing list