[Snort-users] big flood of broadcast packages crashed snort
hochhold at ...6871...
Wed Sep 11 07:00:04 EDT 2002
Last night I had the problem, that a really heavy network broadcast
crashed snort (running out of Memory and disk-space)
The Packages were nearly the same,
04:20:34.068012 0:2:b3:61:68:36 ff:ff:ff:ff:ff:ff 0800 60:22.214.171.124.1412 >
126.96.36.199.1080: R [tcp sum ok] 0:0(0) ack 1 win 0 (DF) (ttl 105, id 1839, len 40)
Only the content and the length of the packages was different.
Since there had been about 1700 packages/second and snort started to log
all these packages it crashed the whole machine after about one hour
So my question is, is there a possibility to log only the first 1000
packages and then for example only count the packages of this type, so I
can see when this attack stopped.
Btw. Snort is running on a Debian-testing system, snort(deb)version is:
\ Ulli Hochholdinger E-Mail: hochhold at ...6871... \
/ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ /
\ Sometimes I think the surest sign that intelligent life exists elsewhere \
/ in the universe is that none of it has tried to contact us. (Calvin) /
More information about the Snort-users