Re: [Snort-users] ru.le to detect lots of syn pkts?

This is a discussion on Re: [Snort-users] ru.le to detect lots of syn pkts? within the Snort forums, part of the System Security and Security Related category; > > We ran into a problem last night at an ISP operation where a Cisco 7206 > > with ...


Go Back   Usenet Forums > System Security and Security Related > Snort

Reload this Page Re: [Snort-users] ru.le to detect lots of syn pkts?

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 06-04-2004
Rich Adamson
 
Posts: n/a
Default Re: [Snort-users] ru.le to detect lots of syn pkts?

> > We ran into a problem last night at an ISP operation where a Cisco 7206
> > with NATing ran out of nat translation table space, causing the router
> > to use 100% of the cpu (known problem with this IOS version, but can't
> > upgrade right now). The problem was one customer was infected with a
> > virus that caused their machine to attempt 1,000's of connections with
> > various Internet boxes.
> >
> > Is there a way to write a general rule that would alert when any -> any
> > attempts more then xx connections per unit of time on any port?
>
> Of course. That's what thresholding is for. For example:
>
> alert tcp any any -> any any (msg:""High traffic host"; threshold: type
> both, track by_src, count 4000, seconds 60; classtype:misc-activity;
> sid:1000001; rev:1;)
>
> This rule will send one alert per minute for every host that transmits more
> than 4000 packets per minute. The number 4000 is completely arbitrary.
> You can make it anything you want.
>
> Or, if you only want to catch outbound traffic:
> alert tcp $HOME_NET any -> any any (msg: blah, blah.)
>
> If you only want to catch SYN packets:
> alert tcp $HOME)NET any -> any any (msg: "High traffic host, SYN packets";
> flags:S; threshold: type both, track by_src, count 4000, seconds 60;
> classtype:misc-activity; sid: 1000002; rev:1;)
>
> To make these rules really work, you're going to want to exclude hosts that
> are *supposed* to have high traffic. So, you could create a variable:
> var HIGH_NORMAL [x.x.x.x/32,x.x.x.x/32,x.x.x.x/32]
>
> Then rewrite the rule like this:
> alert tcp !$HIGH_NORMAL any -> any any (blah....)

Thanks Paul, that's exactly what I was hoping/looking for.

Without doing any testing, it would appear the SYN approach might lead to
the best alerts with a minimum of false positives. Since this is an ISP,
don't think there's going to be much value in attempting to define
anything called normal. ;)

Rich




-------------------------------------------------------
This SF.Net email is sponsored by the new InstallShield X.
From Windows to Linux, servers to mobile, InstallShield X is the one
installation-authoring solution that does it all. Learn more and
evaluate today! http://www.installshield.com/Dev2Dev/0504
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users
Reply With Quote
Reply
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT +1. The time now is 04:49 AM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0