Snort mailing list archives
Re: Thresholding the threshold
From: sekure <sekure () gmail com>
Date: Fri, 6 Aug 2004 12:37:11 -0400
On Fri, 6 Aug 2004 11:47:04 -0400, Keith W. McCammon <mccammon () gmail com> wrote:
See the docs for thresholding. There are different types of threshold rules. You probably want the "both" type. You may need to tweak the rule (set the interval longer), though.
I agree, I could use type "both" and set the time interval to about 60 seconds, which should limit the # of alerts i end up seeing to 1 per second, but that would mean that i'd get a lot more alerts, and the important ones may get suppressed. 20 SYNs in 60 seconds is not exactly the same as 20 SYNs in 1 second. So it'll have to be a lot of guess work to get the # high enough not to FP. Then again, the rates I am talking about here I might be able to tweak it just right.
You don't want flow_portscan.....Don't think portscan will work, either
You just saved me a lot of experimenting and frustration. So unless people disagree, i'll abandon that aproach
If I may, I'll make a suggestion that I made recently to someone with a similar problem. You're really looking for anomalous network traffic, as opposed to an attack. Perhaps something like NTop might help you to pinpoint the source and severity of these issues with a lot less work, and may also provide more useful data.
I do have ntop running on that segment, but all it was telling me was that the source and the destination exchanged 3.5MB over the course of that hour (it happened at night). Nothing suspicious, tiny amount of traffic among thousands of other sessions between other hosts happening at the same time, taking up MUCH more bandwidth. What it DIDN'T tell me was that this was ALL very short sessions in very short period of time, which was causing the router in the middle to spike in CPU utilization as it was trying to keep state for thousands of connections (which is what I was trying to find out in the first place).
Also, in response to your description of the problem, a firewall between your development and production segments would probably be advisable
I WISH it was that easy. :)
Hope this helps...
It did! Thanks! ------------------------------------------------------- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Thresholding the threshold sekure (Aug 06)
- Re: Thresholding the threshold Keith W. McCammon (Aug 06)
- Re: Thresholding the threshold sekure (Aug 06)
- Re: Thresholding the threshold Keith W. McCammon (Aug 06)
- Re: Thresholding the threshold sekure (Aug 06)
- Re: Thresholding the threshold Keith W. McCammon (Aug 06)