Snort mailing list archives
DOS in Snort?
From: "Counselman, Chris Contractor/Sverdrup" <chris.counselman () us army mil>
Date: Wed, 19 Feb 2003 14:06:22 -0600
Snort 1.9, RedHat 8.0, SnortSnarf On one of my sensors I have snort logging locally for SnortSnarf. One IP scanned a class B network I monitor and a snort rule alerted on every IP. This filled the log directory with thousands of entries that eventually reached the maximum allowed limit which broke snort. I could not delete all of the directories with one command because there were so many so I had delete them in small chunks. Overall it took about 30 minuets to clear up everything. This is an OS issue and not a snort issue right? Is there a way to limit the number of alerts? Couldn't any snort box not logging to a database be susceptible to a DOS in this manner? Chris
Current thread:
- DOS in Snort? Counselman, Chris Contractor/Sverdrup (Feb 21)
- Re: DOS in Snort? Erick Mechler (Feb 21)
- Re: DOS in Snort? Shane Williams (Feb 21)
- Re: DOS in Snort? Brian (Feb 21)
- Re: DOS in Snort? Erick Mechler (Feb 21)