[Snort-users] Alert on Max connections per IP

wkitty42 at ...14940... wkitty42 at ...14940...
Wed Jun 8 21:07:27 EDT 2016


On 06/08/2016 08:44 PM, Argcyborg wrote:
> Thanks for the answers, what I need is to detect more than 2 connections to
> the port 4000 in less than 60 seconds and get the IP address of the
> "attacker".
> What should I write in the rules file?

for that specific need, the rule is accurate as it stands... i thought it was 
too noisy and you were trying to quiet it down...

another way you could do it instead of checking for established connections 
(completed the 3-way handshake) is to check for SYNs to that port... you'd still 
keep that detection_filter section, though...

-- 
  NOTE: No off-list assistance is given without prior approval.
        *Please keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.




More information about the Snort-users mailing list