What to do in this situation
Scott A. McIntyre
scott at xs4all.nl
Thu Mar 15 12:35:54 EST 2001
Hi,
(Gosh, something from me that isn't a crash report....)
> I like this idea as well. What I am working on, partially has to do with DoS
> attacks, and though I know there will be times when a machine/argus just can't
> keep up to the traffic levels, it should try veyr hard at warning someone
> real, about the problem. So, I like the graduated warning when argus is
> nearing it's limits. I also like the idea of a 'last ditch effort', where
This begs the question, is it possible to have argus have a "traffic
threshold" for reporting any one flow type? This would dramatically
reduce the load on a machine.
Perhaps this is difficult to implement however.
What I have in mind is specifying a maximum number of packets or bytes
between any two points (src, dst, sport, dport, whatever); beyond that
amount information alerting that the threshold has been exceeded is
logged, but no more data will be recorded for T timeticks (variable).
Dynamic filters, in other words.
(I think I just heard Carter groan)
Scott
More information about the argus
mailing list