RE: Detecting Connections in Snort

["Faiz Ahmad Shuja" <faizshuja () yahoo it>]

Snort's portscan processor works on TCP connection attempts to more than
P ports in T seconds or UDP packets sent to more than P ports in T
seconds. It doesn't work for number of C connections  to P destination
port in T seconds. 

currently the format is:

portscan: <monitor network> <number of ports> <detection period> <file
path>

it should be something like:

portscan: <monitor network> <number of connections> <dst port>
<detection period> <file path>

Though, this preprocessor has capability that alerts would only show
once per scan, rather than once for each packet. So it can be modified
for specific number of connection threshold for single alert.

Is this possible?

Regards,
Faiz


-----Original Message-----
From: Marcelo Olguin [mailto:molguin () inf utfsm cl] 
Sent: Monday, June 02, 2003 7:38 PM
To: Faiz Ahmad Shuja; focus-ids () securityfocus com
Subject: Re: Detecting Connections in Snort


I understand that exists a particular funcionality in portscan snort's 
preprocessor, which let you set a threshold for connections. You can 
find more information en Snort 2.0 book (Syngress).

Bye

Marcelo
-.-


Faiz Ahmad Shuja wrote:

> Does anybody have idea about detecting multiple connections from a 
> single IP in Snort?. I want to detect multiple connection request from 
> a single IP to mail server [port 25]. Somtimes a single IP have taken 
> up all the connection slots. Is there anyway to set a threshold?. If I 
> am getting multiple connections from a single host to any service and 
> it reaches a specific count, I get the alert?.
>
> Please advise.
>
> Thanks!
>
>
> Regards,
> Faiz
>

Attachment: smime.p7s
Description: