Snort mailing list archives
Re: ru.le to detect lots of syn pkts?
From: Matt Kettler <mkettler () evi-inc com>
Date: Fri, 04 Jun 2004 11:33:01 -0400
At 10:12 AM 6/4/2004, Rich Adamson wrote:
The problem was one customer was infected with a virus that caused their machine to attempt 1,000's of connections with various Internet boxes. Is there a way to write a general rule that would alert when any -> any attempts more then xx connections per unit of time on any port?
the classic portscan preprocessor set with rather high thresholds should be useful in picking up blaster, sasser, and similar high-voulme of connections generated by worm infections.
While it's not very good at detecting real-world portscans without false alarms, it's very good at detecting truly massive scans like a worm causes. Set it to something on the order of 500 connections in 5 seconds.
------------------------------------------------------- This SF.Net email is sponsored by the new InstallShield X.
From Windows to Linux, servers to mobile, InstallShield X is the one
installation-authoring solution that does it all. Learn more and evaluate today! http://www.installshield.com/Dev2Dev/0504 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- ru.le to detect lots of syn pkts? Rich Adamson (Jun 04)
- Re: ru.le to detect lots of syn pkts? AJ Butcher, Information Systems and Computing (Jun 04)
- Re: ru.le to detect lots of syn pkts? Paul Schmehl (Jun 04)
- Re: ru.le to detect lots of syn pkts? Rich Adamson (Jun 04)
- Re: ru.le to detect lots of syn pkts? Rich Adamson (Jun 04)
- Re: ru.le to detect lots of syn pkts? Rich Adamson (Jun 04)
- Re: ru.le to detect lots of syn pkts? Matt Kettler (Jun 04)
- <Possible follow-ups>
- Re: ru.le to detect lots of syn pkts? Paul Schmehl (Jun 04)
- Re: ru.le to detect lots of syn pkts? Rich Adamson (Jun 04)
- Re: ru.le to detect lots of syn pkts? Paul Schmehl (Jun 04)
- Re: ru.le to detect lots of syn pkts? Rich Adamson (Jun 04)