[Snort-users] Help with monitoring sending packet rate

Spitzer, Nathan Nathan.Spitzer at ...5841...
Wed May 15 11:38:04 EDT 2002

Monitoring throughput to certain devices is probably better handled through
SNMP if thats possible. If you have manageble switchs, you could use MRTG or
similar to alert you to high-traffic situations on individual ports.
Otherwise, you REALLY need to sniff some of that traffic so you could
develop a rule to monitor it. Good as Snort is, its not really setup do
throughput analysis. Just out of curiosity, what port and protocol are the
packets using and what kind of machines are they attempting to DOS?

-----Original Message-----
From: Tu Nguyen [mailto:nguyen at ...5886...]
Sent: Wednesday, May 15, 2002 1:46 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Help with monitoring sending packet rate

Hi All:
 I am having a problem with some rogue machines that
spew out packets at a very fast rate. I haven't been able
to capture any of these packets but I believe they are identical,
some sort of Dos. The Src IPs are spoofed and they vary but
their destinations are the same.
 I would like to have snort alert me when this happens and
the only signature I can find to identify the incident is by
the sending packet rate. I have been planning to modify
spp_portscan to alert me when packet rate from certain station
or subnet exceed certain threshold but the code looks daunting.
 Does anyone know how to monitor such an event? Or I need
to reinvent the wheel here.
thank you all.

Tu Nguyen
nguyen at ...5886...


Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: bandwidth at ...382...
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list