Thresholding the threshold

[sekure <sekure () gmail com>]

Hey everyone,

I understand that you can't really apply a threshold to the same rule
twice, but i was wondering if anyone has suggestions as to how I might
be able to figure this one out.

I have a rule that alerts whenever it encounters more than 20 SYNs per
second: alert tcp $HOME_NET any -> any any (msg: "High SYN Traffic";
flags:S; threshold: type threshold, track by_src, seconds 1, count 25;
classtype:misc-activity; sid: 1000035; rev:1;)  This is not for
detecting portscans so much as for detecting misconfigured
applications (i monitor a development segment and they often bombard
our production network with hundreds of SYNs/second).

The problem is that last night for example, I got alerted 620 times in
the matter of 5 minutes.  There is no way to threshold the alert on a
rule with threshold in it.  Also, applying a global threshold doesn't
help since local thresholding overrides it.

I think it's time to dive into portscan or flow-portscan preprocessor.
Question: would they allow me to detect when there is a large number
of SYNs sent to the SAME port?  Because that's what i am trying to
find.


-------------------------------------------------------
This SF.Net email is sponsored by OSTG. Have you noticed the changes on
Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now,
one more big change to announce. We are now OSTG- Open Source Technology
Group. Come see the changes on the new OSTG site. www.ostg.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users