Snort mailing list archives
Re: ru.le to detect lots of syn pkts?
From: Rich Adamson <radamson () routers com>
Date: Fri, 4 Jun 2004 10:57:25 -0600
We ran into a problem last night at an ISP operation where a Cisco 7206 with NATing ran out of nat translation table space, causing the router to use 100% of the cpu (known problem with this IOS version, but can't upgrade right now). The problem was one customer was infected with a virus that caused their machine to attempt 1,000's of connections with various Internet boxes. Is there a way to write a general rule that would alert when any -> any attempts more then xx connections per unit of time on any port?Of course. That's what thresholding is for. For example: alert tcp any any -> any any (msg:""High traffic host"; threshold: type both, track by_src, count 4000, seconds 60; classtype:misc-activity; sid:1000001; rev:1;) This rule will send one alert per minute for every host that transmits more than 4000 packets per minute. The number 4000 is completely arbitrary. You can make it anything you want. Or, if you only want to catch outbound traffic: alert tcp $HOME_NET any -> any any (msg: blah, blah.) If you only want to catch SYN packets: alert tcp $HOME)NET any -> any any (msg: "High traffic host, SYN packets"; flags:S; threshold: type both, track by_src, count 4000, seconds 60; classtype:misc-activity; sid: 1000002; rev:1;) To make these rules really work, you're going to want to exclude hosts that are *supposed* to have high traffic. So, you could create a variable: var HIGH_NORMAL [x.x.x.x/32,x.x.x.x/32,x.x.x.x/32] Then rewrite the rule like this: alert tcp !$HIGH_NORMAL any -> any any (blah....)
Thanks Paul, that's exactly what I was hoping/looking for. Without doing any testing, it would appear the SYN approach might lead to the best alerts with a minimum of false positives. Since this is an ISP, don't think there's going to be much value in attempting to define anything called normal. ;) Rich ------------------------------------------------------- This SF.Net email is sponsored by the new InstallShield X.
From Windows to Linux, servers to mobile, InstallShield X is the one
installation-authoring solution that does it all. Learn more and evaluate today! http://www.installshield.com/Dev2Dev/0504 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- ru.le to detect lots of syn pkts? Rich Adamson (Jun 04)
- Re: ru.le to detect lots of syn pkts? AJ Butcher, Information Systems and Computing (Jun 04)
- Re: ru.le to detect lots of syn pkts? Paul Schmehl (Jun 04)
- Re: ru.le to detect lots of syn pkts? Rich Adamson (Jun 04)
- Re: ru.le to detect lots of syn pkts? Rich Adamson (Jun 04)
- Re: ru.le to detect lots of syn pkts? Rich Adamson (Jun 04)
- Re: ru.le to detect lots of syn pkts? Matt Kettler (Jun 04)
- <Possible follow-ups>
- Re: ru.le to detect lots of syn pkts? Paul Schmehl (Jun 04)
- Re: ru.le to detect lots of syn pkts? Rich Adamson (Jun 04)
- Re: ru.le to detect lots of syn pkts? Paul Schmehl (Jun 04)
- Re: ru.le to detect lots of syn pkts? Rich Adamson (Jun 04)