[Snort-users] Detecting concurrent connections

matt mkettler at ...4108...
Wed Jun 12 12:42:02 EDT 2002

Agreed, snort is not stateful in this respect.

Currently I'd see that this is the kind of thing that really has 2 
solutions outside of using snort:

1) I'd suspect that it is possible for some stateful firewalls to implement 
connect rate limiting (since they have to track connection states anyway). 
This would really only slow them down unless it had some kind of "if they 
try to exceed this threshold, shun that IP for an extended period of time"

2) It might be possible to set up some kind of perl-script log watcher that 
looks for a large number of "user unknown" errors being generated from the 
same originating IP and just add that IP to your /etc/mail/access file (or 
whatever similar blocking file your mailserver uses).

Simultaneous state and time based analysis isn't really much the domain of 
the current version of snort, which is really looking for intrusion 
signatures, portscans (large number of different ports over time), and 
anomolous syn packets. There are some stateful aspects, and some time 
aspects, but none that analyze state and time currently.

There's been some talk in the past of modifying spp_portscan to create a 
spp_synflood (looking for a large number of syn connections to the same 
port in a given time window), but this doesn't really determine how many of 
these connections are concurrent. Dig in the archives, someone once posted 
a small patch to get that effect.

At 12:03 PM 6/12/2002 -0300, Renato Araújo wrote:
>I want to configure snort rule to detect if there is a a number of
>concurrent conections to a server. Example, I want snort to detect if
>anyone has 15 or more conections simultaneously established to my
>smtp server.
>Anyone knows if this is possible. I need this because someone used
>a program that send tons of emails to my server to discover valid
>emails. I solved the problem by blocking the IP with iptables, but I'm
>looking for a automated solution.
>Atenciosamente (sincerely),
>Renato Araújo
>Unix _IS_ user friendly - it`s just selective about who its friends are !
>Sponsored by:
>ThinkGeek at http://www.ThinkGeek.com/
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:

More information about the Snort-users mailing list