Snort mailing list archives

ru.le to detect lots of syn pkts?

From: Rich Adamson <radamson () routers com>
Date: Fri, 4 Jun 2004 08:12:41 -0600


We ran into a problem last night at an ISP operation where a Cisco 7206
with NATing ran out of nat translation table space, causing the router
to use 100% of the cpu (known problem with this IOS version, but can't
upgrade right now). The problem was one customer was infected with a
virus that caused their machine to attempt 1,000's of connections with
various Internet boxes. 

Is there a way to write a general rule that would alert when any -> any
attempts more then xx connections per unit of time on any port?

Rich




-------------------------------------------------------
This SF.Net email is sponsored by the new InstallShield X.

From Windows to Linux, servers to mobile, InstallShield X is the one

installation-authoring solution that does it all. Learn more and
evaluate today! http://www.installshield.com/Dev2Dev/0504
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

ru.le to detect lots of syn pkts? Rich Adamson (Jun 04)
- Re: ru.le to detect lots of syn pkts? AJ Butcher, Information Systems and Computing (Jun 04)
- Re: ru.le to detect lots of syn pkts? Paul Schmehl (Jun 04)
  - Re: ru.le to detect lots of syn pkts? Rich Adamson (Jun 04)
    - Re: ru.le to detect lots of syn pkts? Rich Adamson (Jun 04)
- Re: ru.le to detect lots of syn pkts? Matt Kettler (Jun 04)
- <Possible follow-ups>
- Re: ru.le to detect lots of syn pkts? Paul Schmehl (Jun 04)
  - Re: ru.le to detect lots of syn pkts? Rich Adamson (Jun 04)
    - Re: ru.le to detect lots of syn pkts? Paul Schmehl (Jun 04)