Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Question about tresholding. No answer in manual

From: Joel Esler <jesler () sourcefire com>
Date: Thu, 8 Oct 2009 11:47:13 -0400
2009/10/8 Alexander Novokhatsky <alex.ontario () gmail com>


Hello snort community.

I have a question about tresholding. Maybe someone can share the
answer. It'll be very useful for everybody.

In my opinion it’s the most logical way to use theshold – by using
track by_src and by_dst. And i was surprised why there is no option like
track by_both.

If we use only threshold by_src we can fail to track some attacks from this
src to another destinations
If we use only threshold by_dst we can fail to track come attacks from
another sources to this destination
If we use 2 rules we can fail to track both these events described above

But if we use something like track by_src AND by_dst or track by_both
we can only fail to track some repeating attacks from specific source
to specific destination. But that’s the point of thresholding. And we
won’t miss both alerts from this src addressed another
destinations, and from another hosts addressed to this specific dst.

Unfortunately there is no function like track by_both.

I’m quite a new with snort so maybe I missed anything? Is there any way to
perform this action?

I think it's clear enough but here is an example:
Hosts - A,B are our HOME_NET (dst)
Hosts - C,D are EXTERNAL_NET (src)
Incoming ICMP is prohibited and generates an alert. And it's the only rule.

I'd like to configure threshold the way it generates only 1 alert per
minute but won't miss any unique alert. Unique alerts are: Attack from
C to A, from C to B, from D to A, from D to B.

Is it possible? If not, any ideas why there is no such functionality
in snort?




You presently can't do "both" thresholding (by_src and by_dst)  You'd have
to do two separate thresholds, or write a pass rule.

Joel

------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: