[Snort-sigs] excessive simultaneous connections like iplimit ??

sekure sekure at ...2420...
Mon Jan 3 12:40:14 EST 2005


If I understand you correctly you are talking about monitoring
concurrent active sessions.  I don't think Snort can do this without
some custom preprocessor work, though a lot of the foundation is

Stream4 preprocessor can dump session data to disk, (look at the
keepstats parameter).  It's just a matter of post-processing that
file, though on a fairly busy network that's probably not a way to do
it. And the session data is written after the connection is
terminated, so you'd always be behind.

I don't know, I am stumped.

I tried playing with activates/dynamic rules, but never got anywhere,
they refused to work for my purpose a few versions back.  I also
remember something about the support for them going away in favor of
tag: keyword.

Good luck

On Mon, 3 Jan 2005 19:01:46 +0000, paddy <paddy at ...2946...> wrote:
> On Mon, Jan 03, 2005 at 12:45:28PM -0500, sekure wrote:
> > Look for "SYN"s and threshold/suppress below your desired number.
> > Something like this:
> >
> > alert tcp any any -> any any (msg: "High SYN Traffic"; flags:S,12;
> > threshold: type both, track by_src, seconds 60, count 1500;
> > classtype:misc-activity; sid: 1000001; rev:1;)
> >
> > You have to play with it, i've had some luck with the above rule, but
> > sometimes it fails to trigger.
> Sekure,
> Thank you for this incredibly quick and helpfull reply.  After a bit
> of playing I got this rule running on a test machine, and I also
> looked at the docs, to try to better understand it.
> It seems to me that it is not aware of connections and so can't
> tell the difference between a rapid sequence of connections and
> an excessive number of _simultaneous_ connections.  It sees the
> SYN packets just fine, but it doesn't track or count _connections_.
> Unfortunately that is what I'm after.
> I don't really get the stuff in the docs about prepocessors:
>        Are they just fixed plugins with their own menus of
>        funtionality, or do they provide services to rules?
> Given the connections in question are not on the snort host, I am
> dependent on modelling the state of the connection, but I would
> imagine some sort of simple state machine that adds one to a counter
> at the initial [SYN]-[SYN,ACK]-[ACK] and takes one off at the
> [FIN]-[FIN,ACK]-[ACK] would be the basic model (no doubt it is
> way more complicated than this, but I don't pretend to know!)
> the alert could then fire when the couter exceeded a threshold.
> I suppose there are timeouts that need to be modelled in this
> as well. But all this is already done, or already considered,
> surely ?  Am I after the impossible?
> Perhaps for what I want I'm better reading /proc/net/tcp on the host
> in question, but I was rather hoping to get a lot for free out of
> snort.  For example, it would be really nice to log the entire
> exchange, but only keep it in the instance that it exceeds the limit.
> To do that I'm thinking I need to log all candidate packets, and then
> throw away those that don't ultimately trigger the rule, which is
> a bit of work if there isn't already software like snort that does
> it.
> I can see the preprocessors stream4 and flow in the User Manual, but
> I can't make head or tail of how to use them.  The more I look, the
> more I see stuff like activate/dynamic and tag, that don't seem to
> be quite what I'm looking for, tantalisingly so.
> I suppose, on reflection that something along the lines of
>  activate tcp any any -> any any (msg: "High SYN Traffic"; flags:S,12;
>   threshold: type both, track by_src, seconds 60, count 1500; activates: 1000002;
>   classtype:misc-activity; sid: 1000001; rev:1;)
>  dynamic tcp any any -> any any (activated_by:1000001; count: 100;)
> might be of some use.  And that's already more complex than I would have
> come up with without your help!  I'll go and see what I can get by tuning
> the numbers.
> Regards,
> Paddy
> --
> Perl 6 will give you the big knob. -- Larry Wall
> -------------------------------------------------------
> The SF.Net email is sponsored by: Beat the post-holiday blues
> Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
> It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs

More information about the Snort-sigs mailing list