Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [Q] thresholding: to throttle flood of alerts

From: "Matt Olney" <molney () sourcefire com>
Date: Thu, 16 Oct 2008 11:23:05 -0400
While odd, a quick test using ip instead of tcp in a test rules seems to
work.  I'm not certain how the decoder would handle this, or what the
internals of Snort might do or not do based on this information.  The VRT
would almost certainly choose to write this rule as two rules, and, taking a
quick look at our rule set, all IP rules are any any, portswise.

While this works now, one of the concerns would be functionality going
forward or back in Snort versions, and how various preprocessors would deal
with the traffic.  I'd strongly recommend making this two rules.

Matt

On Thu, Oct 16, 2008 at 10:42 AM, Jack Pepper <
pepperjack () afferentsecurity com> wrote:


It *does* seem illogical to specify a (tcp/udp) port number when the
protocol is not tcp or udp.

jp

Quoting Joel Esler <eslerj () gmail com>:


I think I remember someone saying not too long ago about you can't use
ports with an "ip" rule?

J

On Oct 16, 2008, at 2:59 AM, Victor Klimov wrote:


Hi Leon,

Yeah, I know, it should work...
But it doesn't:

#Rule for alerting common TCP/UDP flood attack:
alert ip any any -> any 5060 (msg:"COMMUNITY SIP TCP/IP message
flooding directed to SIP proxy"; threshold: type limit, track by_src,
count 1, seconds600; classtype:attempted-dos; sid:100000160; rev:2;)

This rule above should limit the flooding alert: once in 10 min.
However I continue to see a lot of 100000160 alerts, several per
minute.
Hmm...

Victor

On Wed, Oct 15, 2008 at 9:24 PM, Leon Ward <seclists () rm-rf co uk>
wrote:

Hi.

You are looking for "limit", or rather "both" limit and threshold

Take a look at README.thresholding in the /doc directory and the
link below.



http://snort.org/docs/snort_htmanuals/htmanual_280/node330.html#Event_Thresholding


-Leon



On 15 Oct 2008, at 19:50, Victor Klimov wrote:


Hi Jack,

Actually I don't want do detect a flood. I already have some kind of
flood,
at least according to what I get from snort.
I want to throttle the flood of 'flooding directed to SIP proxy'
messages.

Even if changed the threshold values in the original rule,
I do see several in let's say 3 min.

That is what I want to throttle.

Victor



-------------------------------------------------------------------------

This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win
great
prizes
Grand prize is a trip for two to an Open Source event anywhere in
the
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users








-------------------------------------------------------------------------

This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win
great prizes
Grand prize is a trip for two to an Open Source event anywhere in
the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's

challenge

Build the coolest Linux based applications with Moblin SDK & win great

prizes

Grand prize is a trip for two to an Open Source event anywhere in the

world

http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





--

Framework?  I don't need no stinking framework!

----------------------------------------------------------------
@fferent Security Labs:  Isolate/Insulate/Innovate
http://www.afferentsecurity.com


-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users>list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: