[Snort-sigs] Sig for counting packets?

bthaler at ...572... bthaler at ...572...
Fri Aug 9 05:49:03 EDT 2002

Is it possible to create a rule that will only alert when it receives x packets from the specified host?

My problem is this:  I have a rule, that will naturally generate false positives.  The distinction between a false positive and a
true positive is the number of packets received, not the content of any specific packet.

To clarify, the rule alerts on the string "550 unknown user" outbound from $SMTP.  The rule is in place to detect attempts to spam
our users.  A single host receiving a single "550 unknown user" from $SMTP wouldn't be a problem.  Most likely, someone just had a
bad email address.  But a brute-force type of attack, designed to find valid email addresses on the server would generate many "550
unknown user" messages, all being sent to the same host.

The rule:
alert tcp $SMTP 25 -> $EXTERNAL_NET any (msg:"*** SMTP 550 (Spam Attempt) ***"; content:"550 unknown user"; nocase;)

As you can see, this would naturally generate lots of false positives.  All of the "noise" generated by this alert is starting to
drown out the real alerts.

Any help is appreciated.


Brad T.

More information about the Snort-sigs mailing list