Re: Detecting Connections in Snort

[Marcelo Olguin <molguin () inf utfsm cl>]

I understand that exists a particular funcionality in portscan snort's 
preprocessor, which let you set a threshold for connections. You can 
find more information en Snort 2.0 book (Syngress).

Bye

Marcelo
-.-


Faiz Ahmad Shuja wrote:

> Does anybody have idea about detecting multiple connections from a
> single IP in Snort?. I want to detect multiple connection request from a
> single IP to mail server [port 25]. Somtimes a single IP have taken up
> all the connection slots. Is there anyway to set a threshold?. If I am
> getting multiple connections from a single host to any service and it
> reaches a specific count, I get the alert?.
>
> Please advise.
>
> Thanks!
>
>
> Regards,
> Faiz
>  




-------------------------------------------------------------------------------
INTRUSION PREVENTION: READY FOR PRIME TIME?

IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities 
- including intrusion identification, relevancy, direction, impact and analysis 
- enabling a path to prevention.

Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: 
http://www.securityfocus.com/IntruVert-focus-ids2
-------------------------------------------------------------------------------