[Snort-users] [Q] thresholding: to throttle flood of alerts

Matt Olney molney at ...1935...
Thu Oct 16 11:23:05 EDT 2008


While odd, a quick test using ip instead of tcp in a test rules seems to
work.  I'm not certain how the decoder would handle this, or what the
internals of Snort might do or not do based on this information.  The VRT
would almost certainly choose to write this rule as two rules, and, taking a
quick look at our rule set, all IP rules are any any, portswise.

While this works now, one of the concerns would be functionality going
forward or back in Snort versions, and how various preprocessors would deal
with the traffic.  I'd strongly recommend making this two rules.

Matt

On Thu, Oct 16, 2008 at 10:42 AM, Jack Pepper <
pepperjack at ...14319...> wrote:

> It *does* seem illogical to specify a (tcp/udp) port number when the
> protocol is not tcp or udp.
>
> jp
>
> Quoting Joel Esler <eslerj at ...11827...>:
>
> > I think I remember someone saying not too long ago about you can't use
> > ports with an "ip" rule?
> >
> > J
> >
> > On Oct 16, 2008, at 2:59 AM, Victor Klimov wrote:
> >
> >> Hi Leon,
> >>
> >> Yeah, I know, it should work...
> >> But it doesn't:
> >>
> >> #Rule for alerting common TCP/UDP flood attack:
> >> alert ip any any -> any 5060 (msg:"COMMUNITY SIP TCP/IP message
> >> flooding directed to SIP proxy"; threshold: type limit, track by_src,
> >> count 1, seconds600; classtype:attempted-dos; sid:100000160; rev:2;)
> >>
> >> This rule above should limit the flooding alert: once in 10 min.
> >> However I continue to see a lot of 100000160 alerts, several per
> >> minute.
> >> Hmm...
> >>
> >> Victor
> >>
> >> On Wed, Oct 15, 2008 at 9:24 PM, Leon Ward <seclists at ...14165...>
> >> wrote:
> >>> Hi.
> >>>
> >>> You are looking for "limit", or rather "both" limit and threshold
> >>>
> >>> Take a look at README.thresholding in the /doc directory and the
> >>> link below.
> >>>
> >>>
> http://snort.org/docs/snort_htmanuals/htmanual_280/node330.html#Event_Thresholding
> >>>
> >>> -Leon
> >>>
> >>>
> >>>
> >>> On 15 Oct 2008, at 19:50, Victor Klimov wrote:
> >>>
> >>>> Hi Jack,
> >>>>
> >>>> Actually I don't want do detect a flood. I already have some kind of
> >>>> flood,
> >>>> at least according to what I get from snort.
> >>>> I want to throttle the flood of 'flooding directed to SIP proxy'
> >>>> messages.
> >>>>
> >>>> Even if changed the threshold values in the original rule,
> >>>> I do see several in let's say 3 min.
> >>>>
> >>>> That is what I want to throttle.
> >>>>
> >>>> Victor
> >>>>
> >>>>
> -------------------------------------------------------------------------
> >>>> This SF.Net email is sponsored by the Moblin Your Move Developer's
> >>>> challenge
> >>>> Build the coolest Linux based applications with Moblin SDK & win
> >>>> great
> >>>> prizes
> >>>> Grand prize is a trip for two to an Open Source event anywhere in
> >>>> the
> >>>> world
> >>>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> >>>> _______________________________________________
> >>>> Snort-users mailing list
> >>>> Snort-users at lists.sourceforge.net
> >>>> Go to this URL to change user options or unsubscribe:
> >>>> https://lists.sourceforge.net/lists/listinfo/snort-users
> >>>> Snort-users list archive:
> >>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >>>>
> >>>
> >>>
> >>
> >>
> -------------------------------------------------------------------------
> >> This SF.Net email is sponsored by the Moblin Your Move Developer's
> >> challenge
> >> Build the coolest Linux based applications with Moblin SDK & win
> >> great prizes
> >> Grand prize is a trip for two to an Open Source event anywhere in
> >> the world
> >> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> >> _______________________________________________
> >> Snort-users mailing list
> >> Snort-users at lists.sourceforge.net
> >> Go to this URL to change user options or unsubscribe:
> >> https://lists.sourceforge.net/lists/listinfo/snort-users
> >> Snort-users list archive:
> >> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> >
> > -------------------------------------------------------------------------
> > This SF.Net email is sponsored by the Moblin Your Move Developer's
> challenge
> > Build the coolest Linux based applications with Moblin SDK & win great
> prizes
> > Grand prize is a trip for two to an Open Source event anywhere in the
> world
> > http://moblin-contest.org/redirect.php?banner_id=100&url=/
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
>
>
>
> --
>
> Framework?  I don't need no stinking framework!
>
> ----------------------------------------------------------------
> @fferent Security Labs:  Isolate/Insulate/Innovate
> http://www.afferentsecurity.com
>
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's
> challenge
> Build the coolest Linux based applications with Moblin SDK & win great
> prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users>list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20081016/b249d87e/attachment.html>


More information about the Snort-users mailing list