Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Rate limiting alerts

From: Joel Esler <jesler () sourcefire com>
Date: Thu, 9 Dec 2010 15:54:01 -0500
If you do a threshold using preprocessor gen_id 135, sig_id 1.  You could
deal with SYN packets from an individual host.

So, you'd have to recompile Snort with the
--enable-decoder-preprocessor-rules configure tag..
Then you'd have to include your preprocessor.rules file (should be in the
preproc_rules directory of the Snort tarball). Make sure you have the gen_id
135 rules enabled.

Then you'd have to create your threshold based off of track by_src.

Look into
README.decoder_preproc_rules
README.thresholding
and
README.filters in your doc/ directory of the Snort tarball.

Joel

On Thu, Dec 9, 2010 at 3:04 PM, Mike Kun <mkun () akamai com> wrote:


Does Snort have the ability to rate-limit an alert? For example, if we
were interested to know of a maching is part of a DDOS, we coudl
threshold a rule to only fire if there are 250 syn packets in 60 secs.
But, this could fire if a user opens a webpage with lots of redirects or
ads. Therefore, if we'd like to only fire an alert if there is a
sustained number of syn packets over time, for example 50 syn packets
per second for 10 seconds.

It doesn't seem like thresholding can do this...



------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





-- 
Joel Esler
I apologize for typos, mobile device!

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: