Snort mailing list archives
Re: Rate limiting alerts
From: Joel Esler <jesler () sourcefire com>
Date: Thu, 9 Dec 2010 15:54:01 -0500
If you do a threshold using preprocessor gen_id 135, sig_id 1. You could deal with SYN packets from an individual host. So, you'd have to recompile Snort with the --enable-decoder-preprocessor-rules configure tag.. Then you'd have to include your preprocessor.rules file (should be in the preproc_rules directory of the Snort tarball). Make sure you have the gen_id 135 rules enabled. Then you'd have to create your threshold based off of track by_src. Look into README.decoder_preproc_rules README.thresholding and README.filters in your doc/ directory of the Snort tarball. Joel On Thu, Dec 9, 2010 at 3:04 PM, Mike Kun <mkun () akamai com> wrote:
Does Snort have the ability to rate-limit an alert? For example, if we were interested to know of a maching is part of a DDOS, we coudl threshold a rule to only fire if there are 250 syn packets in 60 secs. But, this could fire if a user opens a webpage with lots of redirects or ads. Therefore, if we'd like to only fire an alert if there is a sustained number of syn packets over time, for example 50 syn packets per second for 10 seconds. It doesn't seem like thresholding can do this... ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Joel Esler I apologize for typos, mobile device!
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Rate limiting alerts Mike Kun (Dec 09)
- Re: Rate limiting alerts Joel Esler (Dec 09)