[Snort-sigs] excessive simultaneous connections like iplimit ??
matt at ...2436...
Mon Jan 3 11:07:18 EST 2005
I like this idea. Will put a rule in the bleeding snort rulesets.
But I'd think 800 or 1000 connections per source would be more
appropriate. What does everyone think there?
My goal is to have a rule that's appropriate for both medium and large
sites. Small sites would have to adjust to fit their own needs.
>Look for "SYN"s and threshold/suppress below your desired number.
>Something like this:
>alert tcp any any -> any any (msg: "High SYN Traffic"; flags:S,12;
>threshold: type both, track by_src, seconds 60, count 1500;
>classtype:misc-activity; sid: 1000001; rev:1;)
>You have to play with it, i've had some luck with the above rule, but
>sometimes it fails to trigger.
>On Mon, 3 Jan 2005 17:33:08 +0000, paddy <paddy at ...2946...> wrote:
More information about the Snort-sigs