Re: [Snort-inline-users] DoS possible with stick attack

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

The problem is fixed if you use -N and don't log data to different
directories.  This also helps with performance and obviously conserves
disk space.  If snort_inline is logging elsewhere (Syslog, DB, etc), what
is the usefulness of creating these logging folders?

>
>
>
>
>
> Yeah, we could used unified logging, the only problem is that you need
> something to deal with binary unified logging format such as barnyard.
> Let
> me also clarify something, this is a limitation of host operating system
> not with snort_inline.  The exact same thing would happen with regular
> snort, the only difference is that if snort (not inline) dies we miss
> logging malicious traffic.  If snort_inline dies and it is are gateway to
> another network, we are no longer able to access anything on the other
> side
> of the bridge.
> Regards,
>
> Will
>
>
>
>              "Roland Turner
>              (SourceForge)"
>              <raz.fs.arg@count                                          To
>              ersnipe.com>              <sno...@li...urcefor
>              Sent by:                  ge.net>
>              snort-inline-user                                          cc
>              s-...@li...u
>              rceforge.net                                          Subject
>                                        Re: [Snort-inline-users] DoS
>                                        possible with stick attack
>              06/15/2004 02:30
>              AM
>
>
>
>
>
>
>
>
> Will wrote:
>
>> the attack originates from, with -sH stick generates random ip's.  At
>> least on my box when I hit 32000 directories snort_inline dies, all
>> traffic being passed to queue space isn't ever inspected, and never
>> traverses the bridge i.e DoS.  what do you guy's think about taring and
>> gziping everything within /var/log/snort when we hit x number of
>
> Do you actually want your log data chopped up into hundreds (thousands) of
> files like that anyway? Surely unified is a more useful approach?
> - Raz
>
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference
> Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer
> Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA
> REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>

Thanks,
Josh Berry, CISSP
CTO, VP of Product Development
LinkNet-Solutions
469-831-8543
jos...@li...