Re: [Snort-users] Can Snort do this?
This is a discussion on Re: [Snort-users] Can Snort do this? within the Snort forums, part of the System Security and Security Related category; You can use iptables for this ( --limit and --limit-burst and --tcp-flags ) : Here is one part of my firewall ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
10-17-2003
|
|||
|
|||
Re: [Snort-users] Can Snort do this?
You can use iptables for this ( --limit and --limit-burst and
--tcp-flags ) : Here is one part of my firewall script : iptables -N tcpHandler iptables -A OUTPUT -p tcp --tcp-flags SYN -s 192.168.172.1 -m state --state NEW -m limit --limit 500/hour --limit-burst 500 -j tcphandler iptables -A OUTPUT -p tcp --tcp-flags SYN -s 192.168.172.1 -m state --state NEW -m limit --limit 1/hour --limit-burst 1 -j LOG --log-prefix "+ de 500 ICMP out : " iptables -A OUTPUT -p tcp --tcp-flags SYN -s 192.168.172.1 -m state --state NEW -j DROP iptables -A tcpHandler -j LOG --log-prefix "OUTBOUND CONN TCP: " iptables -A tcpHandler -j QUEUE Cheers, Guillaume Erek Adams wrote: >On Thu, 16 Oct 2003, Sheahan, Paul wrote: > > > >>I'd like to be able to flag source addresses when they cross a certain >>threshold of connections per minute, hour, or day. >> >>For example, normally if I visit a website and follow normal means to >>purchase a product on that website, then logoff normally, my session >>while on that site might consist of maybe 500 total packets and maybe 50 >>of those packets might be TCP SYNs (let's say for example sake). Let's >>say this is normal for a particular site. Now if I get 500 TCP SYNs from >>a same IP address over a certain time period (hours or a day), then I'd >>like to flag this, since this is not normal behaviour. >> >>Can Snort do something like this, like maybe with a TCP SYN preprocessor >>or something? Any tips/recommendations here? >> >> > >Nope. Snort's thresholding is signature based. > >As for a preproc, it would be the thing to do it, but it's not going to be >an easy thing to do. Keeping track of SYNs or any other packet for that >amount of time could be a rather memory intensive application. It's >either that or make it really slow and go to disk... > >Cheers! > >----- >Erek Adams > > "When things get weird, the weird turn pro." H.S. Thompson > > >------------------------------------------------------- >This SF.net email is sponsored by: SF.net Giveback Program. >SourceForge.net hosts over 70,000 Open Source Projects. >See the people who have HELPED US provide better services: >Click here: http://sourceforge.net/supporters.php >_______________________________________________ >Snort-users mailing list >Snort-users@lists.sourceforge.net >Go to this URL to change user options or unsubscribe: >https://lists.sourceforge.net/lists/...fo/snort-users >Snort-users list archive: >http://www.geocrawler.com/redir-sf.p...st=snort-users > > ------------------------------------------------------- This SF.net email sponsored by: Enterprise Linux Forum Conference & Expo The Event For Linux Datacenter Solutions & Strategies in The Enterprise Linux in the Boardroom; in the Front Office; & in the Server Room http://www.enterpriselinuxforum.com _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
