[Snort-users] Thresholding the threshold
sekure at ...11827...
Fri Aug 6 06:26:16 EDT 2004
I understand that you can't really apply a threshold to the same rule
twice, but i was wondering if anyone has suggestions as to how I might
be able to figure this one out.
I have a rule that alerts whenever it encounters more than 20 SYNs per
second: alert tcp $HOME_NET any -> any any (msg: "High SYN Traffic";
flags:S; threshold: type threshold, track by_src, seconds 1, count 25;
classtype:misc-activity; sid: 1000035; rev:1;) This is not for
detecting portscans so much as for detecting misconfigured
applications (i monitor a development segment and they often bombard
our production network with hundreds of SYNs/second).
The problem is that last night for example, I got alerted 620 times in
the matter of 5 minutes. There is no way to threshold the alert on a
rule with threshold in it. Also, applying a global threshold doesn't
help since local thresholding overrides it.
I think it's time to dive into portscan or flow-portscan preprocessor.
Question: would they allow me to detect when there is a large number
of SYNs sent to the SAME port? Because that's what i am trying to
More information about the Snort-users