Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: high count, long time in threshold

From: sekure <sekure () gmail com>
Date: Wed, 11 Aug 2004 10:40:52 -0400
On Wed, 11 Aug 2004 10:03:40 -0400, Marc Norton
<marc.norton () sourcefire com> wrote:


So unless a specific IP is generating 1500 syns in 60 seconds, this
threshold definition won't allow the rule to fire and be logged.


That was exactly my intention, and last night one host was making a
HUGE amount of connections to a server.  2000-3000 connections per
minute.  I can see it in the logs on the destination server, yet no
event got triggered.

There is no internal limit to the length of time or the number of
events to threshold, is there?



-----Original Message-----
From: snort-users-admin () lists sourceforge net [mailto:snort-users-
admin () lists sourceforge net] On Behalf Of sekure
Sent: Wednesday, August 11, 2004 8:42 AM
To: Snort Users
Subject: [Snort-users] high count, long time in threshold

Hi all,

For the past few days i've been trying to figure out a rule to alert
me whenever there is a large # of SYNs going by the sensor.  This
traffic is specific to something on my network and is usually directed
to one particular port, so using portscan or flow_portscan
preprocessors is out of the question, at least based on my
understanding.

Normally i see about 10-15 SYN's/second on my network, but
occasionally it gets to 40, 80, even 100.  Definitely abnormal.  At
first I tried this:

alert tcp $HOME_NET any -> any any (msg: "High SYN Traffic"; flags:S;
threshold: type threshold, track by_src, seconds 1, count 40;
classtype:misc-activity; sid: 1000035; rev:1;)  So 40 SYNs in one
second and I'd get an alert.  This worked flawlessly.  The problem
though was that this traffic would be sustained for about 4-5 hours,
so in the morning i'd end up with hundreds of alerts.  So I tried a
variation:

alert tcp $HOME_NET any -> any any (msg: "High SYN Traffic"; flags:S;
threshold: type both, track by_src, seconds 60, count 1500;
classtype:misc-activity; sid: 1000035; rev:1;)  Alert once per 60
seconds if there are more than 1500 SYNs in that time interval.
That's an average of 25 SYNs/second.  Definitely abnormal on my
network, so I'd like to catch it.

HOWEVER, this rule doesn't really work.  For a few days it was
occasionally alerting me to portscans that scanned 5 hosts for 1 port,
so at most maybe 30 SYNs (after all the retries, etc). And then this
morning, when i looked at my perfmon preprocessor statistics I saw a
sustained SYN rate of about 80 SYNs/sec for 5 hours overnight, but NO
alerts.

Help?

Is there a limit to how high i can set a count or a time in a
threshold rule?  Is snort running out of memory trying to keep track
of the number of SYNs send by EVERY host in a given time period?


-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users






-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: