Snort mailing list archives
Alerting after Threshold/Suppression
From: "Justin Mitchell" <tcpandip () gmail com>
Date: Fri, 30 Mar 2007 05:55:29 -0400
Hello All, I would like a rule to alert for a specified amount/time AFTER a threshold is met. Take the following rule for example: alert tcp any any -> any $HTTP_PORTS (msg:"45\+ HTTP Requests \< 1 Minute"; flags:AP; pcre:!"/GET \/.*\.(gif|jpg|bmp|tiff|pic).*HTTP\/[0-9]\.[0-9]/i"; threshold: type both, track by_src, count 45, seconds 60; sid:5000001; rev:1;) Accordingly, the rule only alerts (like it should) once every minute if more than 45 HTTP <non_image> requests are made within one minute. However, I would like for it (as long as it meets the specified flags and pcre) to fire thereafter for N seconds and/or N alerts. The catalyst for all this is I need to extract/roll-up the accompanying GET requests to verify fidelity and illustrate more context (w/o reviewing the log). Options tested/contemplated thus far (to my knowledge): Activate/Dynamic rule - Only valid for logging. If compatible with *alerting* I imagine I could construct an activate/pass -> dynamic/alert combo. Flowbits - Only valid for that session. Suppression - Absolute **suppression. Tag - Nonessential packets are displayed. Any ideas? Is Snort alone capable of this without manually correlating the solo alert to web logs? Telling Snort to run <insert_program_here> (pl,sh,py,etc) is another viable option but I could not locate concrete/stable information on how to accomplish this. 3rd party/home-grown preprocessor? TIA! - binaryechoes
------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Alerting after Threshold/Suppression Justin Mitchell (Mar 30)