Re: snort and BGP

[James Lay <jlay () slave-tothe-box net>]

On 2013-10-11 11:19, Jeff d'Ambly wrote:
> Is anyone using snort to signal an upstream provider via BGP for the
> black holing of traffic? For example if you get DDOS'd do you want
> your internet providers to block the traffic?
>
> --Jeff

I'm putting this one into production soon at points where I should 
never see BGP:
alert tcp any any -> any 179 (msg:"BGP seen on Network"; 
flow:stateless; classtype:bad-unknown; sid:xxxxxxx; rev:1;)

add the below to your threshold.conf file for how often you want to see 
this:
event_filter gen_id 1, sig_id xxxxxxx, type limit, track by_src, count 
1, seconds 1200

I thought about adding a flags:S; but thought eh...might as well see it 
all :)  You'll want to change the xx's to however you have your private 
SID's as.

James

------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!