Snort mailing list archives
Re: DOS in Snort?
From: Shane Williams <shanew () shanew net>
Date: Fri, 21 Feb 2003 17:34:11 -0600 (CST)
On Fri, 21 Feb 2003, Erick Mechler wrote:
:: Overall it took about 30 minuets to clear up everything. This is :: an OS issue and not a snort issue right? Is there a way to limit the :: number of alerts? Couldn't any snort box not logging to a :: database be susceptible to a DOS in this manner? The only way this could be used in a DoS against a snort sensor is if you have neglected to properly partition your disks, and you manage to fill up an important filesystem on your sensor. For instance, if you fill up /, some OS's might have a problem with that. Additionally, you can bring a Solaris system to its knees if you fill up /tmp.
I think what Chris meant was that it could be used to DoS snort itself, not necessarily the sensor running snort (In either case, your IDS is out of commision). In this, Chris is right, though I don't see how logging to a database would prevent that since the database could grow similarly large until it's full (full meaning different things depending on your DB). My own solution to a similar problem (logging full network traffic via tcpdump filling up drives), was to write a script that monitors disk usage and deletes older files at a certain threshold percentage. Also, in situations where there are "too many arguments" for a command like rm, xargs is a good (if somewhat time consuming) solution (or find if you need to delete by certain parameters, but it would go even slower). A command line like "ls | xargs rm -f" would delete however many files with a single command. -- Public key #7BBC68D9 at | Shane Williams http://pgp.mit.edu/ | System Admin - UT iSchool =----------------------------------+------------------------------- All syllogisms contain three lines | shanew () shanew net Therefore this is not a syllogism | www.ischool.utexas.edu/~shanew ------------------------------------------------------- This SF.net email is sponsored by: SlickEdit Inc. Develop an edge. The most comprehensive and flexible code editor you can use. Code faster. C/C++, C#, Java, HTML, XML, many more. FREE 30-Day Trial. www.slickedit.com/sourceforge _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- DOS in Snort? Counselman, Chris Contractor/Sverdrup (Feb 21)
- Re: DOS in Snort? Erick Mechler (Feb 21)
- Re: DOS in Snort? Shane Williams (Feb 21)
- Re: DOS in Snort? Brian (Feb 21)
- Re: DOS in Snort? Erick Mechler (Feb 21)