Snort mailing list archives
Can Snort do this?
From: "Sheahan, Paul" <Paul.Sheahan () priceline com>
Date: Thu, 16 Oct 2003 13:44:52 -0400
Hi all, I'd like to be able to flag source addresses when they cross a certain threshold of connections per minute, hour, or day. For example, normally if I visit a website and follow normal means to purchase a product on that website, then logoff normally, my session while on that site might consist of maybe 500 total packets and maybe 50 of those packets might be TCP SYNs (let's say for example sake). Let's say this is normal for a particular site. Now if I get 500 TCP SYNs from a same IP address over a certain time period (hours or a day), then I'd like to flag this, since this is not normal behaviour. Can Snort do something like this, like maybe with a TCP SYN preprocessor or something? Any tips/recommendations here? Thanks, Paul ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. SourceForge.net hosts over 70,000 Open Source Projects. See the people who have HELPED US provide better services: Click here: http://sourceforge.net/supporters.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Can Snort do this? Sheahan, Paul (Oct 16)
- Re: Can Snort do this? Erek Adams (Oct 16)
- Re: Can Snort do this? guillaume.rix (Oct 17)
- Re: Can Snort do this? Guillaume . Rix (Oct 17)
- Re: Can Snort do this? Chris Green (Oct 20)
- how to log payload data to MySQL and /var/log/snort/ Sam Wun (Oct 20)
- Re: Can Snort do this? Erek Adams (Oct 16)