Snort mailing list archives
high count, long time in threshold
From: sekure <sekure () gmail com>
Date: Wed, 11 Aug 2004 08:42:13 -0400
Hi all, For the past few days i've been trying to figure out a rule to alert me whenever there is a large # of SYNs going by the sensor. This traffic is specific to something on my network and is usually directed to one particular port, so using portscan or flow_portscan preprocessors is out of the question, at least based on my understanding. Normally i see about 10-15 SYN's/second on my network, but occasionally it gets to 40, 80, even 100. Definitely abnormal. At first I tried this: alert tcp $HOME_NET any -> any any (msg: "High SYN Traffic"; flags:S; threshold: type threshold, track by_src, seconds 1, count 40; classtype:misc-activity; sid: 1000035; rev:1;) So 40 SYNs in one second and I'd get an alert. This worked flawlessly. The problem though was that this traffic would be sustained for about 4-5 hours, so in the morning i'd end up with hundreds of alerts. So I tried a variation: alert tcp $HOME_NET any -> any any (msg: "High SYN Traffic"; flags:S; threshold: type both, track by_src, seconds 60, count 1500; classtype:misc-activity; sid: 1000035; rev:1;) Alert once per 60 seconds if there are more than 1500 SYNs in that time interval. That's an average of 25 SYNs/second. Definitely abnormal on my network, so I'd like to catch it. HOWEVER, this rule doesn't really work. For a few days it was occasionally alerting me to portscans that scanned 5 hosts for 1 port, so at most maybe 30 SYNs (after all the retries, etc). And then this morning, when i looked at my perfmon preprocessor statistics I saw a sustained SYN rate of about 80 SYNs/sec for 5 hours overnight, but NO alerts. Help? Is there a limit to how high i can set a count or a time in a threshold rule? Is snort running out of memory trying to keep track of the number of SYNs send by EVERY host in a given time period? ------------------------------------------------------- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- high count, long time in threshold sekure (Aug 11)
- RE: high count, long time in threshold Marc Norton (Aug 11)
- Re: high count, long time in threshold sekure (Aug 11)
- RE: high count, long time in threshold Marc Norton (Aug 11)