Help with monitoring sending packet rate

[Tu Nguyen <nguyen () ucalgary ca>]

Hi All:
 I am having a problem with some rogue machines that
spew out packets at a very fast rate. I haven't been able
to capture any of these packets but I believe they are identical,
some sort of Dos. The Src IPs are spoofed and they vary but
their destinations are the same.
 I would like to have snort alert me when this happens and
the only signature I can find to identify the incident is by
the sending packet rate. I have been planning to modify
spp_portscan to alert me when packet rate from certain station
or subnet exceed certain threshold but the code looks daunting.
 Does anyone know how to monitor such an event? Or I need
to reinvent the wheel here.
thank you all.

Tu Nguyen
nguyen () ucalgary ca



_______________________________________________________________

Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: bandwidth () sourceforge net
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users