[Snort-users] Thresholding the threshold

sekure sekure at ...11827...
Fri Aug 6 06:26:16 EDT 2004


Hey everyone,

I understand that you can't really apply a threshold to the same rule
twice, but i was wondering if anyone has suggestions as to how I might
be able to figure this one out.

I have a rule that alerts whenever it encounters more than 20 SYNs per
second: alert tcp $HOME_NET any -> any any (msg: "High SYN Traffic";
flags:S; threshold: type threshold, track by_src, seconds 1, count 25;
classtype:misc-activity; sid: 1000035; rev:1;)  This is not for
detecting portscans so much as for detecting misconfigured
applications (i monitor a development segment and they often bombard
our production network with hundreds of SYNs/second).

The problem is that last night for example, I got alerted 620 times in
the matter of 5 minutes.  There is no way to threshold the alert on a
rule with threshold in it.  Also, applying a global threshold doesn't
help since local thresholding overrides it.

I think it's time to dive into portscan or flow-portscan preprocessor.
Question: would they allow me to detect when there is a large number
of SYNs sent to the SAME port?  Because that's what i am trying to
find.




More information about the Snort-users mailing list