[Snort-sigs] excessive simultaneous connections like iplimit ??

sekure sekure at ...2420...
Mon Jan 3 09:46:13 EST 2005


Look for "SYN"s and threshold/suppress below your desired number. 
Something like this:

alert tcp any any -> any any (msg: "High SYN Traffic"; flags:S,12;
threshold: type both, track by_src, seconds 60, count 1500;
classtype:misc-activity; sid: 1000001; rev:1;)

You have to play with it, i've had some luck with the above rule, but
sometimes it fails to trigger.


On Mon, 3 Jan 2005 17:33:08 +0000, paddy <paddy at ...2946...> wrote:
> Hi,
> 
> I thought I'd try to get snort to log instances where I see
> excessive simultaneous connections from the same host to a
> service.  something like the netfilter iplimit patch, but
> logging rather than responding.
> 
> I've waded through the manual and the FAQ, but it hasn't sunk
> in yet.
> 
> Would anyone suggest to me how it would be done?
> 
> Regards,
> Paddy
> --
> Perl 6 will give you the big knob. -- Larry Wall
> 
> -------------------------------------------------------
> The SF.Net email is sponsored by: Beat the post-holiday blues
> Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
> It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>




More information about the Snort-sigs mailing list