Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Alerting after Threshold/Suppression

From: "Justin Mitchell" <tcpandip () gmail com>
Date: Fri, 30 Mar 2007 05:55:29 -0400
Hello All,

I would like a rule to alert for a specified amount/time AFTER a threshold
is met. Take the following rule for example:

alert tcp any any -> any $HTTP_PORTS (msg:"45\+ HTTP Requests \< 1 Minute";
flags:AP; pcre:!"/GET \/.*\.(gif|jpg|bmp|tiff|pic).*HTTP\/[0-9]\.[0-9]/i";
threshold: type both, track by_src, count 45, seconds 60; sid:5000001;
rev:1;)

Accordingly, the rule only alerts (like it should) once every minute if more
than 45 HTTP <non_image> requests are made within one minute. However, I
would like for it (as long as it meets the specified flags and pcre) to fire
thereafter for N seconds and/or N alerts. The catalyst for all this is I
need to extract/roll-up the accompanying GET requests to verify fidelity and
illustrate more context (w/o reviewing the log).

Options tested/contemplated thus far (to my knowledge):

Activate/Dynamic rule  - Only valid for logging. If compatible with
*alerting* I imagine I could construct an activate/pass -> dynamic/alert
combo.
Flowbits - Only valid for that session.
Suppression - Absolute **suppression.
Tag - Nonessential packets are displayed.

Any ideas? Is Snort alone capable of this without manually correlating the
solo alert to web logs? Telling Snort to run <insert_program_here>
(pl,sh,py,etc) is another viable option but I could not locate
concrete/stable information on how to accomplish this. 3rd party/home-grown
preprocessor?

TIA!

- binaryechoes

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: