[Snort-users] big flood of broadcast packages crashed snort

Ulrich Hochholdinger hochhold at ...6871...
Wed Sep 11 07:00:04 EDT 2002


Hi,
Last night I had the problem, that a really heavy network broadcast
crashed snort (running out of Memory and disk-space)
The Packages were nearly the same, 
(expamle:)
------
04:20:34.068012 0:2:b3:61:68:36 ff:ff:ff:ff:ff:ff 0800 60:12.252.160.142.1412 >
 141.21.4.0.1080: R [tcp sum ok] 0:0(0) ack 1 win 0 (DF) (ttl 105, id 1839, len 40)
------
Only the content and the length of the packages was different. 
Since there had been about 1700 packages/second and snort started to log 
all these packages it crashed the whole machine after about one hour
attack.

So my question is, is there a possibility to log only the first 1000
packages and then for example only count the packages of this type, so I
can see when this attack stopped.

Btw. Snort is running on a Debian-testing system, snort(deb)version is:
1.8.7-4

Gruss
	Ulli
-- 
\ Ulli Hochholdinger                               E-Mail: hochhold at ...6871... \
/ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ /
\ Sometimes I think the surest sign that intelligent life exists elsewhere \
/ in the universe is that none of it has tried to contact us. (Calvin)     /




More information about the Snort-users mailing list