[Snort-users] Thresholding the threshold

sekure sekure at ...11827...
Fri Aug 6 09:38:02 EDT 2004

On Fri, 6 Aug 2004 11:47:04 -0400, Keith W. McCammon <mccammon at ...11827...> wrote:
> See the docs for thresholding.  There are different types of threshold
> rules.  You probably want the "both" type.  You may need to tweak the
> rule (set the interval longer), though.

I agree, I could use type "both" and set the time interval to about 60
seconds, which should limit the # of alerts i end up seeing to 1 per
second, but that would mean that i'd get a lot more alerts, and the
important ones may get suppressed. 20 SYNs in 60 seconds is not
exactly the same as 20 SYNs in 1 second.  So it'll have to be a lot of
guess work to get the # high enough not to FP.  Then again, the rates
I am talking about here I might be able to tweak it just right.

> You don't want flow_portscan.....Don't think portscan will work, either

You just saved me a lot of experimenting and frustration.  So unless
people disagree, i'll abandon that aproach

> If I may, I'll make a suggestion that I made recently to someone with
> a similar problem.  You're really looking for anomalous network
> traffic, as opposed to an attack.  Perhaps something like NTop might
> help you to pinpoint the source and severity of these issues with a
> lot less work, and may also provide more useful data.

I do have ntop running on that segment, but all it was telling me was
that the source and the destination exchanged 3.5MB over the course of
that hour (it happened at night).  Nothing suspicious, tiny amount of
traffic among thousands of other sessions between other hosts
happening at the same time, taking up MUCH more bandwidth.  What it
DIDN'T tell me was that this was ALL very short sessions in very short
period of time, which was causing the router in the middle to spike in
CPU utilization as it was trying to keep state for thousands of
connections (which is what I was trying to find out in the first

> Also, in response to your description of the problem, a firewall
> between your development and production segments would probably be
> advisable

I WISH it was that easy. :)

> Hope this helps...

It did!  Thanks!

More information about the Snort-users mailing list