Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ru.le to detect lots of syn pkts?

From: Matt Kettler <mkettler () evi-inc com>
Date: Fri, 04 Jun 2004 11:33:01 -0400
At 10:12 AM 6/4/2004, Rich Adamson wrote:

 The problem was one customer was infected with a
virus that caused their machine to attempt 1,000's of connections with
various Internet boxes.

Is there a way to write a general rule that would alert when any -> any
attempts more then xx connections per unit of time on any port?
the classic portscan preprocessor set with rather high thresholds should be useful in picking up blaster, sasser, and similar high-voulme of connections generated by worm infections.
While it's not very good at detecting real-world portscans without false alarms, it's very good at detecting truly massive scans like a worm causes. Set it to something on the order of 500 connections in 5 seconds. 




-------------------------------------------------------
This SF.Net email is sponsored by the new InstallShield X.

From Windows to Linux, servers to mobile, InstallShield X is the one

installation-authoring solution that does it all. Learn more and
evaluate today! http://www.installshield.com/Dev2Dev/0504
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: