[Snort-users] big flood of broadcast packages crashed snort

Ulrich Hochholdinger hochhold at ...6871...
Wed Sep 11 07:00:04 EDT 2002

Last night I had the problem, that a really heavy network broadcast
crashed snort (running out of Memory and disk-space)
The Packages were nearly the same, 
04:20:34.068012 0:2:b3:61:68:36 ff:ff:ff:ff:ff:ff 0800 60: > R [tcp sum ok] 0:0(0) ack 1 win 0 (DF) (ttl 105, id 1839, len 40)
Only the content and the length of the packages was different. 
Since there had been about 1700 packages/second and snort started to log 
all these packages it crashed the whole machine after about one hour

So my question is, is there a possibility to log only the first 1000
packages and then for example only count the packages of this type, so I
can see when this attack stopped.

Btw. Snort is running on a Debian-testing system, snort(deb)version is:

\ Ulli Hochholdinger                               E-Mail: hochhold at ...6871... \
/ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ /
\ Sometimes I think the surest sign that intelligent life exists elsewhere \
/ in the universe is that none of it has tried to contact us. (Calvin)     /

More information about the Snort-users mailing list