Snort mailing list archives
Re: Detecting concurrent connections
From: matt <mkettler () evi-inc com>
Date: Wed, 12 Jun 2002 15:43:02 -0400
Agreed, snort is not stateful in this respect.Currently I'd see that this is the kind of thing that really has 2 solutions outside of using snort:
1) I'd suspect that it is possible for some stateful firewalls to implement connect rate limiting (since they have to track connection states anyway). This would really only slow them down unless it had some kind of "if they try to exceed this threshold, shun that IP for an extended period of time"
2) It might be possible to set up some kind of perl-script log watcher that looks for a large number of "user unknown" errors being generated from the same originating IP and just add that IP to your /etc/mail/access file (or whatever similar blocking file your mailserver uses).
Simultaneous state and time based analysis isn't really much the domain of the current version of snort, which is really looking for intrusion signatures, portscans (large number of different ports over time), and anomolous syn packets. There are some stateful aspects, and some time aspects, but none that analyze state and time currently.
There's been some talk in the past of modifying spp_portscan to create a spp_synflood (looking for a large number of syn connections to the same port in a given time window), but this doesn't really determine how many of these connections are concurrent. Dig in the archives, someone once posted a small patch to get that effect.
At 12:03 PM 6/12/2002 -0300, Renato Araújo wrote:
I want to configure snort rule to detect if there is a a number of concurrent conections to a server. Example, I want snort to detect if anyone has 15 or more conections simultaneously established to my smtp server. Anyone knows if this is possible. I need this because someone used a program that send tons of emails to my server to discover valid emails. I solved the problem by blocking the IP with iptables, but I'm looking for a automated solution. Atenciosamente (sincerely), Renato Araújo --------------------------------------------- Unix _IS_ user friendly - it`s just selective about who its friends are ! _______________________________________________________________ Sponsored by: ThinkGeek at http://www.ThinkGeek.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________________________ Sponsored by: ThinkGeek at http://www.ThinkGeek.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Detecting concurrent connections Renato Araújo (Jun 12)
- Re: Detecting concurrent connections Chris Green (Jun 12)
- Re: Detecting concurrent connections matt (Jun 12)