[Snort-users] Bug Report

Slighter, Tim tslighter at ...5174...
Tue Apr 8 06:30:02 EDT 2003


I have a question about the rc.firewall script

Either I have stumbled across an isolated anomaly or perhaps this pattern of
behavior does exist universally.
When passing traffic via IPTABLES to the QUEUE, after a short period of time
on a rather high traffic system, the ip_queue queue fills up and then the
error logs start showing up in magnitude.  I have bumped this value way up
in the ip_queue_maxlen file but once the QUEUE hits that value, I have "x"
number of alerts to contend with.  For example, if I bump the value up to
9092, once the ip_queue gets to that value, I will have 9092 error messages
from /var/log/messages  that show up on STDOUT.  If the occurence of this
type of event is authentic, has anyone there discovered a way to clear out
this ip_queue so that it does not max out and stay maxed?

Thanks for any suggestions or help with this matter.

Tim Slighter
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030408/02259378/attachment.html>


More information about the Snort-users mailing list