Re: Detecting Connections in Snort

From: Marcelo Olguin (molguin_at_inf.utfsm.cl)
Date: 06/02/03

  • Next message: Lance Spitzner: "May's SotM challenge results"
    Date: Mon, 02 Jun 2003 10:38:11 -0400
    To: Faiz Ahmad Shuja <faizshuja@yahoo.it>, focus-ids@securityfocus.com
    
    

    I understand that exists a particular funcionality in portscan snort's
    preprocessor, which let you set a threshold for connections. You can
    find more information en Snort 2.0 book (Syngress).

    Bye

    Marcelo
    -.-

    Faiz Ahmad Shuja wrote:

    >Does anybody have idea about detecting multiple connections from a
    >single IP in Snort?. I want to detect multiple connection request from a
    >single IP to mail server [port 25]. Somtimes a single IP have taken up
    >all the connection slots. Is there anyway to set a threshold?. If I am
    >getting multiple connections from a single host to any service and it
    >reaches a specific count, I get the alert?.
    >
    >Please advise.
    >
    >Thanks!
    >
    >
    >Regards,
    >Faiz
    >
    >

    -------------------------------------------------------------------------------
    INTRUSION PREVENTION: READY FOR PRIME TIME?

    IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities
    - including intrusion identification, relevancy, direction, impact and analysis
    - enabling a path to prevention.

    Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at:
    http://www.securityfocus.com/IntruVert-focus-ids2
    -------------------------------------------------------------------------------


  • Next message: Lance Spitzner: "May's SotM challenge results"

    Relevant Pages

    • RE: Detecting trojans on random ports with encrypted traffic...
      ... Isn't this similar to what SPADE does in snort? ... >>> Intrusion Detection does not have to rely on signatures ... >>> detect connections from and to ports that you normally ... >>> counting any connections that are normal like virus scanner ...
      (Focus-IDS)
    • Re: SNORT or other IDS
      ... >> Very large network. ... >> attacks dont work. ... >> effect on connections to hosts. ... >> I have Linux IDS plugged in running snort with spade... ...
      (microsoft.public.security)
    • Re: SNORT or other IDS
      ... > Turned out it was not an attack... ... > connections. ... > We are using foundry loadbalancer... ... >> I have Linux IDS plugged in running snort with spade... ...
      (microsoft.public.security)
    • Re: SNORT or other IDS
      ... SYN flood on internal network can be caused by malfunctioning nework ... > effect on connections to hosts. ... > I have Linux IDS plugged in running snort with spade... ...
      (microsoft.public.security)
    • Snort IDS + TAPS
      ... We are deploying Snort on a two interface appliance, ... By design, TAPs are split up into monitoring ports, ... the connections? ...
      (Focus-IDS)