Re: [Snort-users] ru.le to detect lots of syn pkts?
This is a discussion on Re: [Snort-users] ru.le to detect lots of syn pkts? within the Snort forums, part of the System Security and Security Related category; --On Friday, June 04, 2004 08:12:41 AM -0600 Rich Adamson <radamson@routers.com> wrote: > > ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
06-04-2004
|
|||
|
|||
Re: [Snort-users] ru.le to detect lots of syn pkts?
--On Friday, June 04, 2004 08:12:41 AM -0600 Rich Adamson
<radamson@routers.com> wrote: > > We ran into a problem last night at an ISP operation where a Cisco 7206 > with NATing ran out of nat translation table space, causing the router > to use 100% of the cpu (known problem with this IOS version, but can't > upgrade right now). The problem was one customer was infected with a > virus that caused their machine to attempt 1,000's of connections with > various Internet boxes. > > Is there a way to write a general rule that would alert when any -> any > attempts more then xx connections per unit of time on any port? Of course. That's what thresholding is for. For example: alert tcp any any -> any any (msg:""High traffic host"; threshold: type both, track by_src, count 4000, seconds 60; classtype:misc-activity; sid:1000001; rev:1;) This rule will send one alert per minute for every host that transmits more than 4000 packets per minute. The number 4000 is completely arbitrary. You can make it anything you want. Or, if you only want to catch outbound traffic: alert tcp $HOME_NET any -> any any (msg: blah, blah.) If you only want to catch SYN packets: alert tcp $HOME)NET any -> any any (msg: "High traffic host, SYN packets"; flags:S; threshold: type both, track by_src, count 4000, seconds 60; classtype:misc-activity; sid: 1000002; rev:1;) To make these rules really work, you're going to want to exclude hosts that are *supposed* to have high traffic. So, you could create a variable: var HIGH_NORMAL [x.x.x.x/32,x.x.x.x/32,x.x.x.x/32] Then rewrite the rule like this: alert tcp !$HIGH_NORMAL any -> any any (blah....) Paul Schmehl (pauls@utdallas.edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/ir/security/ ------------------------------------------------------- This SF.Net email is sponsored by the new InstallShield X. From Windows to Linux, servers to mobile, InstallShield X is the one installation-authoring solution that does it all. Learn more and evaluate today! http://www.installshield.com/Dev2Dev/0504 _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
