[Snort-sigs] Sig for counting packets?

Clemens, Dan Dan.Clemens at ...678...
Fri Aug 9 07:27:06 EDT 2002

<bthaler at ...572...> writes:

> Is it possible to create a rule that will only alert when it receives
> x packets from the specified host?

That's not what you're really asking.  The underlying support for
alerting on 10 packets recieved from HOST x is there.  You want alert

What I have used in the past was swatch to tackle this problem.

Here is a paper that Lance wrote on the subject and might be exactly what
you are looking for:


HH is for hours, MM for minutes, and SS for seconds. This time interval is
the amount of time swatch will ignore identical matched patterns that repeat
themselves. For example, if you define this period as 5 minutes, swatch will
only report one identical matched pattern over that time period, even though
it might have matched 20 identical entries. 

The fourth field (required if you are using the third field) is a timestamp,
defined as 
start:length. This defines the location and length of the timestamp in the
notification message. 

 For our sendmail example, we want to create a swatchrc file that looks for
patterns matching our two triggers (See Figure A and Figure B). When it
matches either of these patterns, we want it to notify via email
abuse at ...740... and to include the matched pattern in the email.
However, we have to be careful not to be flooded with warnings. For example,
if someone attempts to relay off us with 1000 emails a minute, we would be
overwhelmed with notifications. So, we will set a time interval of 5
minutes. Regardless of how many identical patterns are matched in a five
minute period, we will receive only one warning. Our swatchrc file would
look as follows: 

watchfor /Relaying denied|expn/ 
         mail=abuse at ...741...,subject=--- Sendmail Alert! --- 
         throttle 5:00 0:16 

Hope this helps.

-Daniel Uriah Clemens

> My problem is this: I have a rule, that will naturally generate false
> positives.  The distinction between a false positive and a true
> positive is the number of packets received, not the content of any
> specific packet.
> To clarify, the rule alerts on the string "550 unknown user" outbound
> from $SMTP.  The rule is in place to detect attempts to spam our
> users.  A single host receiving a single "550 unknown user" from $SMTP
> wouldn't be a problem.  Most likely, someone just had a bad email
> address.  But a brute-force type of attack, designed to find valid
> email addresses on the server would generate many "550 unknown user"
> messages, all being sent to the same host.

Steve Halligan did something like this once. The underlying support
needed for this is an Entity structure in snort with references to
what has gone off and who has this entity talked to.

If anyone has great Many->Many datastructure references, I'm all ears
Chris Green <cmg at ...435...>
Warning: time of day goes back, taking countermeasures.

This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
Confidentiality Notice:  This e-mail communication and any attachments may
contain confidential and privileged information for the use of the
designated recipients named above.  If you are not the intended recipient,
you are hereby notified that  you have received this communication in error
and that any review, disclosure, dissemination, distribution or copying of
it or its contents is prohibited.  If you have received this communication
in error, please notify me immediately by replying to this message and
deleting it from your computer.  Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20020809/1b85f3d9/attachment.html>

More information about the Snort-sigs mailing list