[Snort-users] Alert on Max connections per IP

Russ rucombs at ...589...
Mon Jun 6 23:23:02 EDT 2016


Detection filters prevent a rule from firing until the threshold is met.

You may be looking for a rate filter.  Check README.filters.


On 6/6/16 10:10 PM, Argcyborg wrote:
>
> I already use that in my rule with no luck.
>
> alert tcp $EXTERNAL_NET any -> 192.168.1.50 4000 ( msg:"Deteccion de 
> conexiones"; flow:established,to_server; content:"|0d 00 00 00 50 cc 5d ed
>
> b6 19 a5 91 00|"; nocase; rawbytes; *detection_filter: track by_src, 
> count 2, seconds 60*; sid:1000050; rev:1;)
>
> If I quit detection_filter the rule works detecting the content, but 
> with the detection_filter doesn’t.
>
> I don’t know what to do.
>
> Thanks again !
>
> -----Mensaje original-----
> De: Al Lewis (allewi) [mailto:allewi at ...589...]
> Enviado el: lunes, 6 de junio de 2016 20:03
> Para: Argcyborg; wkitty42 at ...14940...; 
> snort-users at lists.sourceforge.net
> Asunto: RE: [Snort-users] Alert on Max connections per IP
>
> Section on thresholding:
>
> See the section on the detection filters.
>
> http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node34.html#detection_filter
>
> 1)  track by the source - source IP match
>
> 2)  count  - number of rule matching in seconds that will cause 
> event_filter limit to be exceeded.
>
> 3 ) within 60 seconds - within the time specified
>
> The third packet that matches the source IP will trigger an alert if 
> within the 60 second time period.
>
> Albert Lewis
>
> QA SNORT/Sourcefire
>
> SOURCEfire, Inc. now part of Cisco
>
> 9780 Patuxent Woods Drive
>
> Columbia, MD 21046
>
> Phone: (office) 443.430.7112
>
> Email: allewi at ...589... <mailto:allewi at ...589...>
>
> -----Original Message-----
>
> From: Argcyborg [mailto:argcyborg at ...11827...]
>
> Sent: Monday, June 06, 2016 6:40 PM
>
> To: wkitty42 at ...14940... <mailto:wkitty42 at ...14940...>; 
> snort-users at lists.sourceforge.net 
> <mailto:snort-users at lists.sourceforge.net>
>
> Subject: Re: [Snort-users] Alert on Max connections per IP
>
> Hi, if I use this rule, what be the threshold two config?
>
> alert tcp $EXTERNAL_NET any -> 192.168.1.50 4000 ( msg:"Deteccion de 
> conexiones"; flow:established,to_server; content:"|0d 00 00 00 50 cc 5d ed
>
> b6 19 a5 91 00|"; nocase; rawbytes; detection_filter: track by_src, 
> count 2, seconds 60; sid:1000050; rev:1;)
>
> Thanks again!
>
> -----Mensaje original-----
>
> De: wkitty42 at ...14940... <mailto:wkitty42 at ...14940...> 
> [mailto:wkitty42 at ...14940...] Enviado el: domingo, 5 de junio de 
> 2016 20:41
>
> Para: snort-users at lists.sourceforge.net 
> <mailto:snort-users at lists.sourceforge.net>
>
> Asunto: Re: [Snort-users] Alert on Max connections per IP
>
> On 06/05/2016 05:39 PM, Argcyborg wrote:
>
> > Hi, is there a way to alert or drop when receive more than 8
>
> > connections
>
> per ip
>
> > to an specific port ?
>
> that's called thresholding...
>
> --
>
>   NOTE: No off-list assistance is given without prior approval.
>
>         *Please keep mailing list traffic on the list* unless
>
>         private contact is specifically requested and granted.
>
> ----------------------------------------------------------------------------
>
> --
>
> What NetFlow Analyzer can do for you? Monitors network bandwidth and 
> traffic patterns at an interface-level. Reveals which users, apps, and 
> protocols are
>
> consuming the most bandwidth. Provides multi-vendor support for 
> NetFlow, J-Flow, sFlow and other flows. Make informed decisions using 
> capacity planning reports. 
> https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
>
> _______________________________________________
>
> Snort-users mailing list
>
> Snort-users at lists.sourceforge.net 
> <mailto:Snort-users at lists.sourceforge.net>
>
> Go to this URL to change user options or unsubscribe:
>
> https://lists.sourceforge.net/lists/listinfo/snort-users
>
> Snort-users list archive:
>
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest 
> Snort news!
>
> ------------------------------------------------------------------------------
>
> What NetFlow Analyzer can do for you? Monitors network bandwidth and 
> traffic patterns at an interface-level. Reveals which users, apps, and 
> protocols are consuming the most bandwidth. Provides multi-vendor 
> support for NetFlow, J-Flow, sFlow and other flows. Make informed 
> decisions using capacity planning reports. 
> https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
>
> _______________________________________________
>
> Snort-users mailing list
>
> Snort-users at lists.sourceforge.net 
> <mailto:Snort-users at lists.sourceforge.net>
>
> Go to this URL to change user options or unsubscribe:
>
> https://lists.sourceforge.net/lists/listinfo/snort-users
>
> Snort-users list archive:
>
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest 
> Snort news!
>
>
>
> ------------------------------------------------------------------------------
> What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
> patterns at an interface-level. Reveals which users, apps, and protocols are
> consuming the most bandwidth. Provides multi-vendor support for NetFlow,
> J-Flow, sFlow and other flows. Make informed decisions using capacity
> planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20160606/9f283caa/attachment.html>


More information about the Snort-users mailing list