Hi ntop team, I have a couple of nProbe questions for you: We had an incident where a badly behaved host increased the number of flow records being generated by nProbe by a factor of 10 and really stressed our downstream processing. I ended up restarting our nProbe processes with an added *--black-list x.x.x.x/32* option to ignore that host. That led me to wonder, is there any way to dynamically change the blacklist configuration so that in the future I could add a host or network without having to restart nProbe? Doing so without restarting would be preferable since restarting will result in some data loss across all the monitored traffic. I didn't see anything in the documentation, but thought it would be worth checking here.
On a related note, I wonder about the --max-num-flows option which limits the number of active flows in the case of DoS, etc. In the event that the maximum number of flows is exceeded, what flows will get discarded? Any new flows above the limit, or is there a more selective algorithm? Thank you! Peter
_______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
