Snort mailing list archives

Trying to detect a ping sweep

From: Aaron Evers <secure.badger () gmail com>
Date: Tue, 3 Apr 2012 16:30:33 -0500

Greetings,

I am trying to configure snort 2.9.1.2 to detect a variety of network
discovery traffic.  I'd like to be able to detect a ping sweep in the
following manner:  a source address sends icmp echo requests to x number of
unique destination addresses over x period of time.

For example, a host that sends 10 pings to a single destination address
over the course of 60 seconds does not generate an alert, but a host that
sends 10 pings, each to a different destination address over the course of
60 seconds does generate an alert.  Is this possible?  I haven't been able
to find a way with the online manual.

Thanks!

------------------------------------------------------------------------------
Better than sec? Nothing is better than sec when it comes to
monitoring Big Data applications. Try Boundary one-second 
resolution app monitoring today. Free.
http://p.sf.net/sfu/Boundary-dev2dev

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Trying to detect a ping sweep Aaron Evers (Apr 03)
- Re: Trying to detect a ping sweep lists () packetmail net (Apr 03)