[Snort-users] Is it possible to make a rule for maximum connections?[Updated with rule]

Russ Combs rcombs at ...1935...
Wed May 2 12:22:15 EDT 2012


On Wed, May 2, 2012 at 10:28 AM, Simon Blixt <blixten_496 at ...125...>wrote:

>  Hi,
>
> I've read the "write rules"-manual and configured to following rule:
> drop tcp any any -> 10.10.10.1 80 (msg:"xxx"; flow:established,to_server;
> detection_filter:track by_src, count 100, seconds 5; sid:1000001;rev1;)
>
> It works kinda like I want it to work, but is it possible to determine for
> how long it should drop, or "ban", those packets from the src IP?
>

For that, check rate_filters.

>
> Thanks in advance,
> Blixten
>
> > Subject: Re: [Snort-users] Is it possible to make a rule for maximum
> connetions?
> > From: jesler at ...1935...
> > Date: Wed, 2 May 2012 08:37:57 -0400
> > CC: snort-users at lists.sourceforge.net
> > To: blixten_496 at ...125...
> >
> > You have the ability to alert on if a number of connections in a time
> period exceeds a certain number, but no, you can't limit the maximum number
> of connections to a webserver. Probably something you want to control
> through the webserver itself.
> >
> > J
> >
> > On May 2, 2012, at 4:43 AM, Simon Blixt wrote:
> >
> > > Hi,
> > >
> > > I'm in a situation where I want to limit to maximum numbers of
> connection to my webserver.
> > > Is it possible to write such a rule? I'm new to rule-creating and need
> some backup.
> > > Using Snort as an IPS.
> > >
> > > Thanks in advance,
> > > Blixten
> > >
> ------------------------------------------------------------------------------
> > > Live Security Virtual Conference
> > > Exclusive live event will cover all the ways today's security and
> > > threat landscape has changed and how IT managers can respond.
> Discussions
> > > will include endpoint security, mobile security and the latest in
> malware
> > > threats.
> http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
> > > Snort-users mailing list
> > > Snort-users at lists.sourceforge.net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > >
> > > Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
> >
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120502/2a90c35d/attachment.html>


More information about the Snort-users mailing list