RE: high count, long time in threshold

["Marc Norton" <marc.norton () sourcefire com>]

The rule to catch 1500 syns in 60 seconds is applied to each individual
host that the rule covers - hence the 'track by_src' it does not track
1500 syns in 60 seconds for 'any-ip -> any-ip' in a cumulative fashion.
So unless a specific IP is generating 1500 syns in 60 seconds, this
threshold definition won't allow the rule to fire and be logged. I am
not sure if this helps but I wanted to be clear about the difference in
behavior that you may be seeing. 

> -----Original Message-----
> From: snort-users-admin () lists sourceforge net [mailto:snort-users-
> admin () lists sourceforge net] On Behalf Of sekure
> Sent: Wednesday, August 11, 2004 8:42 AM
> To: Snort Users
> Subject: [Snort-users] high count, long time in threshold
>
> Hi all,
>
> For the past few days i've been trying to figure out a rule to alert
> me whenever there is a large # of SYNs going by the sensor.  This
> traffic is specific to something on my network and is usually directed
> to one particular port, so using portscan or flow_portscan
> preprocessors is out of the question, at least based on my
> understanding.
>
> Normally i see about 10-15 SYN's/second on my network, but
> occasionally it gets to 40, 80, even 100.  Definitely abnormal.  At
> first I tried this:
>
> alert tcp $HOME_NET any -> any any (msg: "High SYN Traffic"; flags:S;
> threshold: type threshold, track by_src, seconds 1, count 40;
> classtype:misc-activity; sid: 1000035; rev:1;)  So 40 SYNs in one
> second and I'd get an alert.  This worked flawlessly.  The problem
> though was that this traffic would be sustained for about 4-5 hours,
> so in the morning i'd end up with hundreds of alerts.  So I tried a
> variation:
>
> alert tcp $HOME_NET any -> any any (msg: "High SYN Traffic"; flags:S;
> threshold: type both, track by_src, seconds 60, count 1500;
> classtype:misc-activity; sid: 1000035; rev:1;)  Alert once per 60
> seconds if there are more than 1500 SYNs in that time interval.
> That's an average of 25 SYNs/second.  Definitely abnormal on my
> network, so I'd like to catch it.
>
> HOWEVER, this rule doesn't really work.  For a few days it was
> occasionally alerting me to portscans that scanned 5 hosts for 1 port,
> so at most maybe 30 SYNs (after all the retries, etc). And then this
> morning, when i looked at my perfmon preprocessor statistics I saw a
> sustained SYN rate of about 80 SYNs/sec for 5 hours overnight, but NO
> alerts.
>
> Help?
>
> Is there a limit to how high i can set a count or a time in a
> threshold rule?  Is snort running out of memory trying to keep track
> of the number of SYNs send by EVERY host in a given time period?
>
>
> -------------------------------------------------------
> SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
> 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
> Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
> http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users




-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users