Snort mailing list archives
Re: [Q] thresholding: to throttle flood of alerts
From: "Bob Konigsberg" <bobkberg () networkeval com>
Date: Thu, 16 Oct 2008 16:14:52 -0700
For what it's worth, back when I worked at a local university, we were getting hit with too many alerts to deal with. I contacted the professors to find out who they expected to hit their servers legitimately, and learned that most of the traffic was for local students only. Long story short - we just blocked all non web traffic that originated outside North America and were amazed to see the number of attacks, scans and whatever drop by more than an order of magnitude. The geographical list for class A and class B sized blocks is readily available at either ARIN or IANA - I forget which. My $.02 worth. Bob -----Original Message----- From: Jack Pepper [mailto:pepperjack () afferentsecurity com] Sent: Thursday, October 16, 2008 8:51 AM To: snort-users () lists sourceforge net Subject: Re: [Snort-users] [Q] thresholding: to throttle flood of alerts maybe try tracking by dest instead. jp Quoting Victor Klimov <vk77de () googlemail com>:
Hi Markus, That's probably it. 99% of them come from different sources. It was not myself that wrote the rule. Got it with the oinkmaster. Thanks, Victor On Thu, Oct 16, 2008 at 2:41 PM, Markus Lude <markus.lude () gmx de> wrote:On Thu, Oct 16, 2008 at 06:59:37AM +0000, Victor Klimov wrote:Hi Leon, Yeah, I know, it should work... But it doesn't: #Rule for alerting common TCP/UDP flood attack: alert ip any any -> any 5060 (msg:"COMMUNITY SIP TCP/IP message flooding directed to SIP proxy"; threshold: type limit, track by_src, count 1, seconds600; classtype:attempted-dos; sid:100000160; rev:2;) This rule above should limit the flooding alert: once in 10 min. However I continue to see a lot of 100000160 alerts, several per minute. Hmm...Do these alerts come from different sources or the same one? As I understand thresholds, track by_src means a separate counter for each source. Regards, Markus---------------------------------------------------------------------- --- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Framework? I don't need no stinking framework! ---------------------------------------------------------------- @fferent Security Labs: Isolate/Insulate/Innovate http://www.afferentsecurity.com ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- [Q] thresholding: to throttle flood of alerts Victor Klimov (Oct 15)
- Re: [Q] thresholding: to throttle flood of alerts Leon Ward (Oct 15)
- Re: [Q] thresholding: to throttle flood of alerts Victor Klimov (Oct 15)
- Re: [Q] thresholding: to throttle flood of alerts Joel Esler (Oct 16)
- Re: [Q] thresholding: to throttle flood of alerts Jack Pepper (Oct 16)
- Re: [Q] thresholding: to throttle flood of alerts Matt Olney (Oct 16)
- Re: [Q] thresholding: to throttle flood of alerts Victor Klimov (Oct 15)
- Re: [Q] thresholding: to throttle flood of alerts Markus Lude (Oct 16)
- Re: [Q] thresholding: to throttle flood of alerts Victor Klimov (Oct 16)
- Re: [Q] thresholding: to throttle flood of alerts Jack Pepper (Oct 16)
- Re: [Q] thresholding: to throttle flood of alerts Bob Konigsberg (Oct 16)
- Re: [Q] thresholding: to throttle flood of alerts Leon Ward (Oct 15)