[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [hobbit] Flooding hobbit



Hi Ettienne

This sounds like a good plan.
I think my knowledge of Windoze and BBWin is too lacking for me to think
of this sort of thing on my own.

The bulk of the noise is coming through in the "Full log
eventlog_security" section.
Most of them are lines like this one
success - 2008/04/28 10:41:34 - Security (680) - Logon attempt by:
MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: xxxxxx Source
Workstation: ABCDEFG Error Code: 0x0

The lines start with "success", and appear to end with "Error Code: 0x0"

I tried both these entries in client-local.cfg :
[win32]
eventlog:security
ignore success

It gave me no joy, but according to the comments in client-local.cfg, I
would have expected it to.

Or should it look like this
[win32]
eventlog:security
ignore 0

This did the trick.
Can you confirm that it would only remove the return code 0x0, and not
remove all lines containing a 0?

Thanks
    Vernon



-----Original Message-----
From: Etienne Grignon [mailto:etienne.grignon (at) gmail.com] 
Sent: Thursday, 24 April 2008 4:51 PM
To: hobbit (at) hswn.dk
Subject: Re: [hobbit] Flooding hobbit

Hello Vernon,

2008/4/18, Everett, Vernon <Vernon.Everett (at) woodside.com.au>:

> Hoping somebody has encountered this before.
> We have put BBWin on a few Windoze servers, but one of the, a DC, has 
> a HUGE event log.
> So large, that hobbit is freaking out, and doing the "Data flooding 
> from 1.2.3.4, closing connection" thing.
>
> I know this is hobbit protecting iteself from a DOS attack, but is 
> there a way around this?
> Can I somehow tell hobbit not to do this for that IP address?
>
> Unfortunately, because of its function, we can't reduce the logging on

> the Windoze server, so we need to either
>     a) get hobbit to handle the problem (desirable solution)
>     b) get bbwin to truncate the event log (less desirable)
>

Do you use the central or local mode of BBWin ?

Depending the mode you use, you may add ignore rules in your BBWin.cfg
(local mode) or client-local.cfg (win32 section) on the hobbit server.

Example for local mode in BBWin.cfg :
<ignore logfile="Application" type ="Error" eventid="2001" />

Example for central mode in client-local.cfg :
[win32]
eventlog:application
ignore 2001




--
Etienne GRIGNON

To unsubscribe from the hobbit list, send an e-mail to
hobbit-unsubscribe (at) hswn.dk



NOTICE: This email and any attachments are confidential. 
They may contain legally privileged information or 
copyright material. You must not read, copy, use or 
disclose them without authorisation. If you are not an 
intended recipient, please contact us at once by return 
email and then delete both messages and all attachments.