Snort mailing list archives
Re: Question about tresholding. No answer in manual
From: Joel Esler <jesler () sourcefire com>
Date: Thu, 8 Oct 2009 11:47:13 -0400
2009/10/8 Alexander Novokhatsky <alex.ontario () gmail com>
Hello snort community. I have a question about tresholding. Maybe someone can share the answer. It'll be very useful for everybody. In my opinion it’s the most logical way to use theshold – by using track by_src and by_dst. And i was surprised why there is no option like track by_both. If we use only threshold by_src we can fail to track some attacks from this src to another destinations If we use only threshold by_dst we can fail to track come attacks from another sources to this destination If we use 2 rules we can fail to track both these events described above But if we use something like track by_src AND by_dst or track by_both we can only fail to track some repeating attacks from specific source to specific destination. But that’s the point of thresholding. And we won’t miss both alerts from this src addressed another destinations, and from another hosts addressed to this specific dst. Unfortunately there is no function like track by_both. I’m quite a new with snort so maybe I missed anything? Is there any way to perform this action? I think it's clear enough but here is an example: Hosts - A,B are our HOME_NET (dst) Hosts - C,D are EXTERNAL_NET (src) Incoming ICMP is prohibited and generates an alert. And it's the only rule. I'd like to configure threshold the way it generates only 1 alert per minute but won't miss any unique alert. Unique alerts are: Attack from C to A, from C to B, from D to A, from D to B. Is it possible? If not, any ideas why there is no such functionality in snort?
You presently can't do "both" thresholding (by_src and by_dst) You'd have to do two separate thresholds, or write a pass rule. Joel
------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Question about tresholding. No answer in manual Alexander Novokhatsky (Oct 08)
- Re: Question about tresholding. No answer in manual Joel Esler (Oct 08)