Snort mailing list archives
Thresholding the threshold
From: sekure <sekure () gmail com>
Date: Fri, 6 Aug 2004 09:25:44 -0400
Hey everyone, I understand that you can't really apply a threshold to the same rule twice, but i was wondering if anyone has suggestions as to how I might be able to figure this one out. I have a rule that alerts whenever it encounters more than 20 SYNs per second: alert tcp $HOME_NET any -> any any (msg: "High SYN Traffic"; flags:S; threshold: type threshold, track by_src, seconds 1, count 25; classtype:misc-activity; sid: 1000035; rev:1;) This is not for detecting portscans so much as for detecting misconfigured applications (i monitor a development segment and they often bombard our production network with hundreds of SYNs/second). The problem is that last night for example, I got alerted 620 times in the matter of 5 minutes. There is no way to threshold the alert on a rule with threshold in it. Also, applying a global threshold doesn't help since local thresholding overrides it. I think it's time to dive into portscan or flow-portscan preprocessor. Question: would they allow me to detect when there is a large number of SYNs sent to the SAME port? Because that's what i am trying to find. ------------------------------------------------------- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Thresholding the threshold sekure (Aug 06)
- Re: Thresholding the threshold Keith W. McCammon (Aug 06)
- Re: Thresholding the threshold sekure (Aug 06)
- Re: Thresholding the threshold Keith W. McCammon (Aug 06)
- Re: Thresholding the threshold sekure (Aug 06)
- Re: Thresholding the threshold Keith W. McCammon (Aug 06)