[Snort-users] ICMP Source Quench
JHicks at ...5857...
Wed Sep 4 07:44:03 EDT 2002
FYI ... this is also noted specifically in the book "Intrusion Signatures
From: Chris Keladis [mailto:Chris.Keladis at ...6400...]
Sent: Wednesday, August 28, 2002 9:15 AM
To: 'snort-users-request at lists.sourceforge.net'
Cc: Ofir Arkin; 'McCammon, Keith'; 'Wirth, Jeff'; 'Sergei Balyakin'
Subject: Re: [Snort-users] ICMP Source Quench
Ofir Arkin wrote:
> With the next example an HP Open View system, based on HPUX B.11.0
operating system is probing the
> 172.18.2.x network in order to discover the network topology. Since this
operation was done without
> any rate limiting of the sending of packets, at a certain point the HPUX
machine has reached the point
> it is no longer able to process some incoming packets. Here is one of the
ICMP Source Quench error
> messages it sent:
Just to add some additional information w.r.t HP/UX.
HP/UX prior to 11.x has a bug (it's documented in itrc somewhere) where
due to some design issue (i forgot the details off the top of my head)
caused it to generate quite a number of ICMP Source Quench's.
I remember Snort going nuts reporting Source Quench's, before i got our
guys to install the patches, and i've hardly seen one since.
There are patches for all supported versions of HP/UX, and i beleive
this is fixed in HP/UX 11.x (i vaguely remember it had something do with
the streams driver).
Email me privately and i can dig up specifics if required..
This sf.net email is sponsored by: Jabber - The world's fastest growing
real-time communications platform! Don't just IM. Build it in!
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:
More information about the Snort-users