Snort mailing list archives
Re: Can Snort do this?
From: "guillaume.rix" <Guillaume.Rix () Sun COM>
Date: Fri, 17 Oct 2003 09:06:41 +0200
You can use iptables for this ( --limit and --limit-burst and --tcp-flags ) :
Here is one part of my firewall script : iptables -N tcpHandleriptables -A OUTPUT -p tcp --tcp-flags SYN -s 192.168.172.1 -m state --state NEW -m limit --limit 500/hour --limit-burst 500 -j tcphandler iptables -A OUTPUT -p tcp --tcp-flags SYN -s 192.168.172.1 -m state --state NEW -m limit --limit 1/hour --limit-burst 1 -j LOG --log-prefix "+ de 500 ICMP out : " iptables -A OUTPUT -p tcp --tcp-flags SYN -s 192.168.172.1 -m state --state NEW -j DROP
iptables -A tcpHandler -j LOG --log-prefix "OUTBOUND CONN TCP: " iptables -A tcpHandler -j QUEUE Cheers, Guillaume Erek Adams wrote:
On Thu, 16 Oct 2003, Sheahan, Paul wrote:I'd like to be able to flag source addresses when they cross a certain threshold of connections per minute, hour, or day. For example, normally if I visit a website and follow normal means to purchase a product on that website, then logoff normally, my session while on that site might consist of maybe 500 total packets and maybe 50 of those packets might be TCP SYNs (let's say for example sake). Let's say this is normal for a particular site. Now if I get 500 TCP SYNs from a same IP address over a certain time period (hours or a day), then I'd like to flag this, since this is not normal behaviour. Can Snort do something like this, like maybe with a TCP SYN preprocessor or something? Any tips/recommendations here?Nope. Snort's thresholding is signature based. As for a preproc, it would be the thing to do it, but it's not going to be an easy thing to do. Keeping track of SYNs or any other packet for that amount of time could be a rather memory intensive application. It's either that or make it really slow and go to disk... Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. SourceForge.net hosts over 70,000 Open Source Projects. See the people who have HELPED US provide better services: Click here: http://sourceforge.net/supporters.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.net email sponsored by: Enterprise Linux Forum Conference & ExpoThe Event For Linux Datacenter Solutions & Strategies in The Enterprise Linux in the Boardroom; in the Front Office; & in the Server Room http://www.enterpriselinuxforum.com
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Can Snort do this? Sheahan, Paul (Oct 16)
- Re: Can Snort do this? Erek Adams (Oct 16)
- Re: Can Snort do this? guillaume.rix (Oct 17)
- Re: Can Snort do this? Guillaume . Rix (Oct 17)
- Re: Can Snort do this? Chris Green (Oct 20)
- how to log payload data to MySQL and /var/log/snort/ Sam Wun (Oct 20)
- Re: Can Snort do this? Erek Adams (Oct 16)