[Snort-sigs] excessive simultaneous connections like iplimit ??

paddy paddy at ...2946...
Mon Jan 3 11:02:20 EST 2005

On Mon, Jan 03, 2005 at 12:45:28PM -0500, sekure wrote:
> Look for "SYN"s and threshold/suppress below your desired number. 
> Something like this:
> alert tcp any any -> any any (msg: "High SYN Traffic"; flags:S,12;
> threshold: type both, track by_src, seconds 60, count 1500;
> classtype:misc-activity; sid: 1000001; rev:1;)
> You have to play with it, i've had some luck with the above rule, but
> sometimes it fails to trigger.


Thank you for this incredibly quick and helpfull reply.  After a bit 
of playing I got this rule running on a test machine, and I also 
looked at the docs, to try to better understand it.

It seems to me that it is not aware of connections and so can't
tell the difference between a rapid sequence of connections and
an excessive number of _simultaneous_ connections.  It sees the
SYN packets just fine, but it doesn't track or count _connections_.

Unfortunately that is what I'm after.

I don't really get the stuff in the docs about prepocessors:

	Are they just fixed plugins with their own menus of 
	funtionality, or do they provide services to rules?

Given the connections in question are not on the snort host, I am
dependent on modelling the state of the connection, but I would
imagine some sort of simple state machine that adds one to a counter
at the initial [SYN]-[SYN,ACK]-[ACK] and takes one off at the 
[FIN]-[FIN,ACK]-[ACK] would be the basic model (no doubt it is
way more complicated than this, but I don't pretend to know!)
the alert could then fire when the couter exceeded a threshold.
I suppose there are timeouts that need to be modelled in this
as well. But all this is already done, or already considered, 
surely ?  Am I after the impossible?

Perhaps for what I want I'm better reading /proc/net/tcp on the host 
in question, but I was rather hoping to get a lot for free out of
snort.  For example, it would be really nice to log the entire 
exchange, but only keep it in the instance that it exceeds the limit.  
To do that I'm thinking I need to log all candidate packets, and then
throw away those that don't ultimately trigger the rule, which is 
a bit of work if there isn't already software like snort that does

I can see the preprocessors stream4 and flow in the User Manual, but
I can't make head or tail of how to use them.  The more I look, the
more I see stuff like activate/dynamic and tag, that don't seem to
be quite what I'm looking for, tantalisingly so.

I suppose, on reflection that something along the lines of

  activate tcp any any -> any any (msg: "High SYN Traffic"; flags:S,12;
   threshold: type both, track by_src, seconds 60, count 1500; activates: 1000002;
   classtype:misc-activity; sid: 1000001; rev:1;)

  dynamic tcp any any -> any any (activated_by:1000001; count: 100;)

might be of some use.  And that's already more complex than I would have 
come up with without your help!  I'll go and see what I can get by tuning
the numbers.

Perl 6 will give you the big knob. -- Larry Wall

More information about the Snort-sigs mailing list