Re: Can Snort do this?

[Chris Green <cmg () sourcefire com>]

Erek Adams <erek () snort org> writes:

> On Thu, 16 Oct 2003, Sheahan, Paul wrote:
>
> > I'd like to be able to flag source addresses when they cross a certain
> > threshold of connections per minute, hour, or day.
> >
> > For example, normally if I visit a website and follow normal means to
> > purchase a product on that website, then logoff normally, my session
> > while on that site might consist of maybe 500 total packets and maybe 50
> > of those packets might be TCP SYNs (let's say for example sake). Let's
> > say this is normal for a particular site. Now if I get 500 TCP SYNs from
> > a same IP address over a certain time period (hours or a day), then I'd
> > like to flag this, since this is not normal behaviour.
> >
> > Can Snort do something like this, like maybe with a TCP SYN preprocessor
> > or something? Any tips/recommendations here?
>
> Nope.  Snort's thresholding is signature based.

You can combine a signature plus the new thresholding to do this.

alert tcp any any -> any any (flags: S,12; \
   msg: "Thresholded SYN activity detected"; sid: 1675309; \
   threshold: type limit, track by_src, count 500, seconds 3600;)

Thresholding allows a lot of these type of things to be tried and see
how useful they are. 


-- 
Chris Green <cmg () sourcefire com>
I've had a perfectly wonderful evening. But this wasn't it.
     -- Groucho Marx


-------------------------------------------------------
This SF.net email is sponsored by OSDN developer relations
Here's your chance to show off your extensive product knowledge
We want to know what you know. Tell us and you have a chance to win $100
http://www.zoomerang.com/survey.zgi?HRPT1X3RYQNC5V4MLNSV3E54
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users