Snort
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-users] Alerting after Threshold/Suppression

from [Justin Mitchell] [Permanent Link][Original]
To: snort-users@lists.sourceforge.net
Subject: [Snort-users] Alerting after Threshold/Suppression
From: "Justin Mitchell" <tcpandip@gmail.com>
Date: Fri, 30 Mar 2007 05:55:29 -0400
Delivered-to: sp-com-lists@consult.net
Delivered-to: snort-list@securepoint.com
List-archive: <http://sourceforge.net/mailarchive/forum.php?forum=snort-users>
List-help: <mailto:snort-users-request@lists.sourceforge.net?subject=help>
List-id: "Snort users talk about... Snort!" <snort-users.lists.sourceforge.net>
List-post: <mailto:snort-users@lists.sourceforge.net>
List-subscribe: <https://lists.sourceforge.net/lists/listinfo/snort-users>, <mailto:snort-users-request@lists.sourceforge.net?subject=subscribe>
List-unsubscribe: <https://lists.sourceforge.net/lists/listinfo/snort-users>, <mailto:snort-users-request@lists.sourceforge.net?subject=unsubscribe>
Sender: snort-users-bounces@lists.sourceforge.net
Hello All,

I would like a rule to alert for a specified amount/time AFTER a threshold is met. Take the following rule for example:

alert tcp any any -> any $HTTP_PORTS (msg:"45\+ HTTP Requests \< 1 Minute"; flags:AP; pcre:!"/GET \/.*\.(gif|jpg|bmp|tiff|pic).*HTTP\/[0-9]\.[0-9]/i"; threshold: type both, track by_src, count 45, seconds 60; sid:5000001; rev:1;)

Accordingly, the rule only alerts (like it should) once every minute if more than 45 HTTP <non_image> requests are made within one minute. However, I would like for it (as long as it meets the specified flags and pcre) to fire thereafter for N seconds and/or N alerts. The catalyst for all this is I need to extract/roll-up the accompanying GET requests to verify fidelity and illustrate more context (w/o reviewing the log).

Options tested/contemplated thus far (to my knowledge):

Activate/Dynamic rule  - Only valid for logging. If compatible with *alerting* I imagine I could construct an activate/pass -> dynamic/alert combo.
Flowbits - Only valid for that session.
Suppression - Absolute suppression.
Tag - Nonessential packets are displayed.

Any ideas? Is Snort alone capable of this without manually correlating the solo alert to web logs? Telling Snort to run <insert_program_here> (pl,sh,py,etc) is another viable option but I could not locate concrete/stable information on how to accomplish this. 3rd party/home-grown preprocessor?

TIA!

- binaryechoes
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • [Snort-users] Alerting after Threshold/Suppression, Justin Mitchell <=
Previous by Date:  Re: [Snort-users] rules Vs. meta-rules, Brian Caswell
Next by Date:  [Snort-users] Minimal configuration port scanning, Josep Pujadas i Jubany
Previous by Thread:  [Snort-users] rules Vs. meta-rules, (infor) urko zurutuza
Next by Thread:  [Snort-users] Minimal configuration port scanning, Josep Pujadas i Jubany
Indexes:  [Date] [Thread] [Top] [All Lists]