IDS mailing list archives
RE: Detecting Connections in Snort
From: "Faiz Ahmad Shuja" <faizshuja () yahoo it>
Date: Mon, 2 Jun 2003 20:34:39 +0500
Snort's portscan processor works on TCP connection attempts to more than P ports in T seconds or UDP packets sent to more than P ports in T seconds. It doesn't work for number of C connections to P destination port in T seconds. currently the format is: portscan: <monitor network> <number of ports> <detection period> <file path> it should be something like: portscan: <monitor network> <number of connections> <dst port> <detection period> <file path> Though, this preprocessor has capability that alerts would only show once per scan, rather than once for each packet. So it can be modified for specific number of connection threshold for single alert. Is this possible? Regards, Faiz -----Original Message----- From: Marcelo Olguin [mailto:molguin () inf utfsm cl] Sent: Monday, June 02, 2003 7:38 PM To: Faiz Ahmad Shuja; focus-ids () securityfocus com Subject: Re: Detecting Connections in Snort I understand that exists a particular funcionality in portscan snort's preprocessor, which let you set a threshold for connections. You can find more information en Snort 2.0 book (Syngress). Bye Marcelo -.- Faiz Ahmad Shuja wrote:
Does anybody have idea about detecting multiple connections from a single IP in Snort?. I want to detect multiple connection request from a single IP to mail server [port 25]. Somtimes a single IP have taken up all the connection slots. Is there anyway to set a threshold?. If I am getting multiple connections from a single host to any service and it reaches a specific count, I get the alert?. Please advise. Thanks! Regards, Faiz
Attachment:
smime.p7s
Description:
Current thread:
- Detecting Connections in Snort Faiz Ahmad Shuja (Jun 01)
- Re: Detecting Connections in Snort Marcelo Olguin (Jun 02)
- RE: Detecting Connections in Snort Faiz Ahmad Shuja (Jun 02)
- Re: Detecting Connections in Snort Marcelo Olguin (Jun 02)