[Snort-users] Detecting concurrent connections
mkettler at ...4108...
Wed Jun 12 12:42:02 EDT 2002
Agreed, snort is not stateful in this respect.
Currently I'd see that this is the kind of thing that really has 2
solutions outside of using snort:
1) I'd suspect that it is possible for some stateful firewalls to implement
connect rate limiting (since they have to track connection states anyway).
This would really only slow them down unless it had some kind of "if they
try to exceed this threshold, shun that IP for an extended period of time"
2) It might be possible to set up some kind of perl-script log watcher that
looks for a large number of "user unknown" errors being generated from the
same originating IP and just add that IP to your /etc/mail/access file (or
whatever similar blocking file your mailserver uses).
Simultaneous state and time based analysis isn't really much the domain of
the current version of snort, which is really looking for intrusion
signatures, portscans (large number of different ports over time), and
anomolous syn packets. There are some stateful aspects, and some time
aspects, but none that analyze state and time currently.
There's been some talk in the past of modifying spp_portscan to create a
spp_synflood (looking for a large number of syn connections to the same
port in a given time window), but this doesn't really determine how many of
these connections are concurrent. Dig in the archives, someone once posted
a small patch to get that effect.
At 12:03 PM 6/12/2002 -0300, Renato Araújo wrote:
>I want to configure snort rule to detect if there is a a number of
>concurrent conections to a server. Example, I want snort to detect if
>anyone has 15 or more conections simultaneously established to my
>Anyone knows if this is possible. I need this because someone used
>a program that send tons of emails to my server to discover valid
>emails. I solved the problem by blocking the IP with iptables, but I'm
>looking for a automated solution.
>Unix _IS_ user friendly - it`s just selective about who its friends are !
>ThinkGeek at http://www.ThinkGeek.com/
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:
More information about the Snort-users