Snort mailing list archives
Re: Detecting Broadcast with Snort
From: Matt Kettler <mkettler () evi-inc com>
Date: Fri, 21 Feb 2003 11:51:02 -0500
Since excessive broadcasts are an ethernet layer problem (although they can be IP directed), what kind of corrective action could snort possibly take?
A tool like snort could possibly send an alert to a system admin in the event of excessive broadcasting, but nothing short of either:
1) unplugging an ethernet cable or using management console of a manageable switch to tell it to disable a port
2) turning off the system/switch involved
is going to correct the problem.
If IP directed broadcasts are coming in from outside your network, your
router should already be configured to kill those..No reason to use
something like inline-snort to auto-filter them, as they should ALL be
blocked in the first place by a properly configured router.
If IP directed broadcasts are coming from inside your network, well, they're an ethernet layer problem, as they are being originated as an ethernet layer broadcast packet at the source machine. There's nothing any software tool can do to stop them.
At 12:14 PM 2/21/2003 +0100, Ramon Barquier wrote:
Hi thereWe are interested in installing Snort in our university. But we have in doubt about the capability of Snort for detecting excessive broadcast and make some corrective action automaticaly. Sometimes we have excessive broadcast in our network that provoke a lot of problems.Thanks Ramon Barquier System Analyst Autonomous University of Barcelona
------------------------------------------------------- This SF.net email is sponsored by: SlickEdit Inc. Develop an edge. The most comprehensive and flexible code editor you can use. Code faster. C/C++, C#, Java, HTML, XML, many more. FREE 30-Day Trial. www.slickedit.com/sourceforge _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Detecting Broadcast with Snort Ramon Barquier (Feb 21)
- Re: Detecting Broadcast with Snort Matt Kettler (Feb 21)
- Re: Detecting Broadcast with Snort twig les (Feb 21)
- Re: Detecting Broadcast with Snort Matt Kettler (Feb 21)
- Re: Detecting Broadcast with Snort twig les (Feb 21)
- Re: Detecting Broadcast with Snort Matt Kettler (Feb 21)
- Re: Detecting Broadcast with Snort twig les (Feb 21)
- Re: Detecting Broadcast with Snort Matt Kettler (Feb 21)
- Re: Detecting Broadcast with Snort Gene Yoo (Feb 22)
- Re: Detecting Broadcast with Snort Matt Kettler (Feb 22)
- Re: Detecting Broadcast with Snort Frank Knobbe (Feb 22)
- Re: Detecting Broadcast with Snort Gene Yoo (Feb 24)
- <Possible follow-ups>
- Re: Detecting Broadcast with Snort james (Feb 24)