Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ru.le to detect lots of syn pkts?

From: "AJ Butcher, Information Systems and Computing" <Alex.Butcher () bristol ac uk>
Date: Fri, 04 Jun 2004 14:55:00 +0100


--On 04 June 2004 08:12 -0600 Rich Adamson <radamson () routers com> wrote:



We ran into a problem last night at an ISP operation where a Cisco 7206
with NATing ran out of nat translation table space, causing the router
to use 100% of the cpu (known problem with this IOS version, but can't
upgrade right now). The problem was one customer was infected with a
virus that caused their machine to attempt 1,000's of connections with
various Internet boxes.

Is there a way to write a general rule that would alert when any -> any
attempts more then xx connections per unit of time on any port?
You want to be looking at the portscan and portscan2 preprocessors (and the new stuff for detecting portscans in snort 2.1.x if you're using that). 


Rich


Best Regards,
Alex.
--
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing             GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9




-------------------------------------------------------
This SF.Net email is sponsored by the new InstallShield X.

From Windows to Linux, servers to mobile, InstallShield X is the one

installation-authoring solution that does it all. Learn more and
evaluate today! http://www.installshield.com/Dev2Dev/0504
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: