[Snort-sigs] Sig for counting packets?

Jason Brvenik jasonb at ...435...
Sat Aug 10 20:49:02 EDT 2002

I would think this would be pretty easy to do and make flexible. You don't
really need a many to many at all.

It should be assumable that the dest is a limited number and window is of
limited time. Overall limit is memory.

Here is what I am thinking.
Add a threshold option to a rule. Triggering of the rule starts a short code
branch which does a hash index into the following.

timestamp => sid => destip:port => srcip => X.

sid is the rule sid
timestamp is unixtime
destip:port duh!
srcip ...
X is the count

Prune the hash at the timestamp level on window interval or at memcap
limitations similar to stream. Anything with a timestamp older than ( now -
window ) is dropped.

the rest is a hash index to X where you do a transpose sequential search
until the first element is the threshold. Then pop it and alert.

make any sense?.


Chris Green wrote:

> <bthaler at ...572...> writes:
> > Is it possible to create a rule that will only alert when it receives
> > x packets from the specified host?
> That's not what you're really asking.  The underlying support for
> alerting on 10 packets recieved from HOST x is there.  You want alert
> thresholds.
> > My problem is this: I have a rule, that will naturally generate false
> > positives.  The distinction between a false positive and a true
> > positive is the number of packets received, not the content of any
> > specific packet.
> >
> > To clarify, the rule alerts on the string "550 unknown user" outbound
> > from $SMTP.  The rule is in place to detect attempts to spam our
> > users.  A single host receiving a single "550 unknown user" from $SMTP
> > wouldn't be a problem.  Most likely, someone just had a bad email
> > address.  But a brute-force type of attack, designed to find valid
> > email addresses on the server would generate many "550 unknown user"
> > messages, all being sent to the same host.
> Steve Halligan did something like this once. The underlying support
> needed for this is an Entity structure in snort with references to
> what has gone off and who has this entity talked to.
> If anyone has great Many->Many datastructure references, I'm all ears
> :)
> --
> Chris Green <cmg at ...435...>
> Warning: time of day goes back, taking countermeasures.
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs

More information about the Snort-sigs mailing list