[Snort-users] [Q] thresholding: to throttle flood of alerts

Bob Konigsberg bobkberg at ...12746...
Thu Oct 16 19:14:52 EDT 2008


For what it's worth, back when I worked at a local university, we were
getting hit with too many alerts to deal with.  I contacted the professors
to find out who they expected to hit their servers legitimately, and learned
that most of the traffic was for local students only.

Long story short - we just blocked all non web traffic that originated
outside North America and were amazed to see the number of attacks, scans
and whatever drop by more than an order of magnitude.

The geographical list for class A and class B sized blocks is readily
available at either ARIN or IANA - I forget which.

My $.02 worth.

Bob
 

-----Original Message-----
From: Jack Pepper [mailto:pepperjack at ...14319...] 
Sent: Thursday, October 16, 2008 8:51 AM
To: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] [Q] thresholding: to throttle flood of alerts

maybe try tracking by dest instead.

jp

Quoting Victor Klimov <vk77de at ...14012...>:

> Hi Markus,
>
> That's probably it.
> 99% of them come from different sources.
>
> It was not myself that wrote the rule.
> Got it with the oinkmaster.
>
> Thanks,
>
> Victor
>
> On Thu, Oct 16, 2008 at 2:41 PM, Markus Lude <markus.lude at ...348...> wrote:
>> On Thu, Oct 16, 2008 at 06:59:37AM +0000, Victor Klimov wrote:
>>> Hi Leon,
>>>
>>> Yeah, I know, it should work...
>>> But it doesn't:
>>>
>>> #Rule for alerting common TCP/UDP flood attack:
>>> alert ip any any -> any 5060 (msg:"COMMUNITY SIP TCP/IP message 
>>> flooding directed to SIP proxy"; threshold: type limit, track 
>>> by_src, count 1, seconds600; classtype:attempted-dos; sid:100000160; 
>>> rev:2;)
>>>
>>> This rule above should limit the flooding alert: once in 10 min.
>>> However I continue to see a lot of 100000160 alerts, several per minute.
>>> Hmm...
>>
>> Do these alerts come from different sources or the same one? As I 
>> understand thresholds, track by_src means a separate counter for each 
>> source.
>>
>> Regards,
>> Markus
>>
>>
>
> ----------------------------------------------------------------------
> --- This SF.Net email is sponsored by the Moblin Your Move Developer's 
> challenge Build the coolest Linux based applications with Moblin SDK & 
> win great prizes Grand prize is a trip for two to an Open Source event 
> anywhere in the world 
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



-- 

Framework?  I don't need no stinking framework!

----------------------------------------------------------------
@fferent Security Labs:  Isolate/Insulate/Innovate
http://www.afferentsecurity.com


-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes Grand prize is a trip for two to an Open Source event anywhere in the
world http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list