Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Source quenchyness

From: a.h.s. boy <spud () nothingness org>
Date: Mon, 14 Jan 2002 20:42:56 -0500
I have a box co-located at a friend's company, and have Snort/ACID setup on it (with HOME_NET restricted to only my machine...I'm not concerned with monitoring all their traffic).
I get about 5-6000 ICMP Source Quench alerts a day(!)...all from one of their NT servers sitting on the same subnet as mine. I'm not sure what role the NT box serves for them, but it certainly is chatty with my box.
All I know about source quench messages is that they're an indication that the sending box isn't handling the volume of traffic very well, and it's trying to tell my box to slow down. And I know that ICMP Source Quench packets are "depricated", since it's not a great idea to generate more traffic to indicate that there's too much traffic. That's the extent of my knowledge about ICMP Source Quenches.
While I could have Snort ignore these "violations", what I'm really wondering is WHY the NT box would be having so much trouble with this server...it's NOT a very high-volume server at all (2 web sites, one quite negligible). So I have a hard time believing that I'm really flooding the NT box...or rather, I can't believe that the amount of traffic my machine is generating is unreasonable.
Can someone fill me in on what I might be able to do to resolve this issue, either on my server, or the network it's on, or the NT box (I don't have many details on the NT box right now, but I can get them). 

Cheers,
spud.

-------------------------------------------------------------------
a.h.s. boy
spud () nothingness org               "as yes is to if,love is to yes"
http://www.nothingness.org/
PGP Fingerprint: 7B5B 2E7A FA96 865A D9D9  5D6D 54CD D2C1 3429 56B4
-------------------------------------------------------------------


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: