[Snort-sigs] excessive simultaneous connections like iplimit ??

Matt Jonkman matt at ...2436...
Mon Jan 3 11:07:18 EST 2005


I like this idea. Will put a rule in the bleeding snort rulesets.

But I'd think 800 or 1000 connections per source would be more 
appropriate. What does everyone think there?

My goal is to have a rule that's appropriate for both medium and large 
sites. Small sites would have to adjust to fit their own needs.

Matt

sekure wrote:

>Look for "SYN"s and threshold/suppress below your desired number. 
>Something like this:
>
>alert tcp any any -> any any (msg: "High SYN Traffic"; flags:S,12;
>threshold: type both, track by_src, seconds 60, count 1500;
>classtype:misc-activity; sid: 1000001; rev:1;)
>
>You have to play with it, i've had some luck with the above rule, but
>sometimes it fails to trigger.
>
>
>On Mon, 3 Jan 2005 17:33:08 +0000, paddy <paddy at ...2946...> wrote:
>  
>





More information about the Snort-sigs mailing list