Snort mailing list archives
Re: Detecting Broadcast with Snort
From: twig les <twigles () yahoo com>
Date: Fri, 21 Feb 2003 11:41:23 -0800 (PST)
This would be a neat plugin though - broadcast threshold alerts. Once we netadmin types get a baseline it'd be nice to have warning when NIC driver goes nutso and starts broadcasting or somthing. --- Matt Kettler <mkettler () evi-inc com> wrote:
Since excessive broadcasts are an ethernet layer problem (although they can be IP directed), what kind of corrective action could snort possibly take? A tool like snort could possibly send an alert to a system admin in the event of excessive broadcasting, but nothing short of either: 1) unplugging an ethernet cable or using management console of a manageable switch to tell it to disable a port 2) turning off the system/switch involved is going to correct the problem. If IP directed broadcasts are coming in from outside your network, your router should already be configured to kill those..No reason to use something like inline-snort to auto-filter them, as they should ALL be blocked in the first place by a properly configured router. If IP directed broadcasts are coming from inside your network, well, they're an ethernet layer problem, as they are being originated as an ethernet layer broadcast packet at the source machine. There's nothing any software tool can do to stop them. At 12:14 PM 2/21/2003 +0100, Ramon Barquier wrote:Hi there We are interested in installing Snort in our university. Butwe have indoubt about the capability of Snort for detecting excessivebroadcast andmake some corrective action automaticaly. Sometimes we haveexcessivebroadcast in our network that provoke a lot of problems. Thanks Ramon Barquier System Analyst Autonomous University of Barcelona------------------------------------------------------- This SF.net email is sponsored by: SlickEdit Inc. Develop an edge. The most comprehensive and flexible code editor you can use. Code faster. C/C++, C#, Java, HTML, XML, many more. FREE 30-Day Trial. www.slickedit.com/sourceforge _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
===== ----------------------------------------------------------- Know yourself and know your enemy and you will never fear defeat. ----------------------------------------------------------- __________________________________________________ Do you Yahoo!? Yahoo! Tax Center - forms, calculators, tips, more http://taxes.yahoo.com/ ------------------------------------------------------- This SF.net email is sponsored by: SlickEdit Inc. Develop an edge. The most comprehensive and flexible code editor you can use. Code faster. C/C++, C#, Java, HTML, XML, many more. FREE 30-Day Trial. www.slickedit.com/sourceforge _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Detecting Broadcast with Snort Ramon Barquier (Feb 21)
- Re: Detecting Broadcast with Snort Matt Kettler (Feb 21)
- Re: Detecting Broadcast with Snort twig les (Feb 21)
- Re: Detecting Broadcast with Snort Matt Kettler (Feb 21)
- Re: Detecting Broadcast with Snort twig les (Feb 21)
- Re: Detecting Broadcast with Snort Matt Kettler (Feb 21)
- Re: Detecting Broadcast with Snort twig les (Feb 21)
- Re: Detecting Broadcast with Snort Matt Kettler (Feb 21)
- Re: Detecting Broadcast with Snort Gene Yoo (Feb 22)
- Re: Detecting Broadcast with Snort Matt Kettler (Feb 22)
- Re: Detecting Broadcast with Snort Frank Knobbe (Feb 22)
- Re: Detecting Broadcast with Snort Gene Yoo (Feb 24)
- <Possible follow-ups>
- Re: Detecting Broadcast with Snort james (Feb 24)