[Snort-users] Help with monitoring sending packet rate

Tu Nguyen nguyen at ...5886...
Wed May 15 10:49:03 EDT 2002


Hi All:
 I am having a problem with some rogue machines that
spew out packets at a very fast rate. I haven't been able
to capture any of these packets but I believe they are identical,
some sort of Dos. The Src IPs are spoofed and they vary but
their destinations are the same.
 I would like to have snort alert me when this happens and
the only signature I can find to identify the incident is by
the sending packet rate. I have been planning to modify
spp_portscan to alert me when packet rate from certain station
or subnet exceed certain threshold but the code looks daunting.
 Does anyone know how to monitor such an event? Or I need
to reinvent the wheel here.
thank you all.

Tu Nguyen
nguyen at ...5886...






More information about the Snort-users mailing list