Re: [Snort-users] ru.le to detect lots of syn pkts?
This is a discussion on Re: [Snort-users] ru.le to detect lots of syn pkts? within the Snort forums, part of the System Security and Security Related category; At 10:12 AM 6/4/2004, Rich Adamson wrote: > The problem was one customer was infected with a &...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
06-04-2004
|
|||
|
|||
Re: [Snort-users] ru.le to detect lots of syn pkts?
At 10:12 AM 6/4/2004, Rich Adamson wrote:
> The problem was one customer was infected with a >virus that caused their machine to attempt 1,000's of connections with >various Internet boxes. > >Is there a way to write a general rule that would alert when any -> any >attempts more then xx connections per unit of time on any port? the classic portscan preprocessor set with rather high thresholds should be useful in picking up blaster, sasser, and similar high-voulme of connections generated by worm infections. While it's not very good at detecting real-world portscans without false alarms, it's very good at detecting truly massive scans like a worm causes. Set it to something on the order of 500 connections in 5 seconds. ------------------------------------------------------- This SF.Net email is sponsored by the new InstallShield X. From Windows to Linux, servers to mobile, InstallShield X is the one installation-authoring solution that does it all. Learn more and evaluate today! http://www.installshield.com/Dev2Dev/0504 _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
