RE: the alert log is getting so huge in minutes!

["Hudak, Tyler" <Tyler.Hudak () roadway com>]

I wouldn't delete those rules, they are doing exactly what you want them to
do!

Snort is detecting an IP address within your network, 10.17.112.16 that is
infected with a virus, most likely SQL Slammer.  Track down all of the
machines that are infected, clean them up and patch, and the alerts will go
away.  The ICMP Unreachables will probably go away as well.

Tyler


> Message: 1
> Date: Mon, 19 Jan 2004 02:18:21 -0600 (CST)
> From: =?iso-8859-1?q?soldier=20Mx?= <soldi3rmx () yahoo com mx>
> To: snort-users () lists sourceforge net
> Subject: [Snort-users] the alert log is getting so huge in minutes!
>
> hey,, /var is full and alert log is so BIG.
>
>
> im gettin tthis alert.,.
> every 2-3 seconds and my log of alerts is getting so
> huge  that my /var is full also!!
> What todo ?
>
> [**] [1:2004:1] MS-SQL Worm propagation attempt
> OUTBOUND [**]
> [Classification: Misc Attack] [Priority: 2]
> 01/17-16:07:18.519151 10.17.112.16:2526 ->
> 237.158.119.228:1434
> UDP TTL:1 TOS:0x0 ID:40538 IpLen:20 DgmLen:404
> Len: 376
> [Xref =>
> http://vil.nai.com/vil/content/v_99992.htm][Xref =>
> http://www.securityfocus.com/bid/5311][Xref =>
> http://www.securityfocus.com/bid/5310]
>
>
> and other ones, like ICMP enrechable..
>
> In one minute i get like 1 megabyte of logs.!!
> of thoses alerts..
>
> how could i delete thoses rules.. that are causing
> that alerts..
>
> cuz im using gentoo linux, and that alert is with
> Microsoft...
>
> so what todo =?
>
> Thanks in advance!
> :)