[Snort-sigs] Sig for counting packets?

Chris Green cmg at ...435...
Fri Aug 9 05:57:02 EDT 2002

<bthaler at ...572...> writes:

> Is it possible to create a rule that will only alert when it receives
> x packets from the specified host?

That's not what you're really asking.  The underlying support for
alerting on 10 packets recieved from HOST x is there.  You want alert

> My problem is this: I have a rule, that will naturally generate false
> positives.  The distinction between a false positive and a true
> positive is the number of packets received, not the content of any
> specific packet.
> To clarify, the rule alerts on the string "550 unknown user" outbound
> from $SMTP.  The rule is in place to detect attempts to spam our
> users.  A single host receiving a single "550 unknown user" from $SMTP
> wouldn't be a problem.  Most likely, someone just had a bad email
> address.  But a brute-force type of attack, designed to find valid
> email addresses on the server would generate many "550 unknown user"
> messages, all being sent to the same host.

Steve Halligan did something like this once. The underlying support
needed for this is an Entity structure in snort with references to
what has gone off and who has this entity talked to.

If anyone has great Many->Many datastructure references, I'm all ears
Chris Green <cmg at ...435...>
Warning: time of day goes back, taking countermeasures.

More information about the Snort-sigs mailing list