[Oisf-users] tracking source and destination port

Cooper F. Nelson cnelson at ucsd.edu
Thu Jul 4 17:47:57 UTC 2013

Hash: SHA1

ET has rules like this:

> #These are intended to catch new worms and such scanning internally. Careful of falses.
> #
> alert tcp $HOME_NET any -> any 445 (msg:"ET SCAN Behavioral Unusual Port 445 traffic, Potential Scan or Infection"; flags: S,12; threshold: type both, track by_src, count 70 , seconds 60; reference:url,doc.emergingthreats.net/2001569; classtype:misc-activity; sid:2001569; rev:13;)

The problem is that if you modify it to a '-> any any' rule its going to
match all traffic.

The DDOS attacks you describe look like normal traffic flows; so its
hard to detect it automatically.

What you could do is look at your traffic patterns and set the threshold
to something well above your normal peak flows for any unique
destination port.  Something like:

> alert tcp $EXTERNAL_NET $HOME_NET -> any 80 (msg:"LOCAL Potential HTTP DDOS, high traffic"; flags: S,12; threshold: type both, track by_src, count 1000, seconds 10; 

Ideally what you would want would be a rule that detected a large number
of half-open connections to any unique port.  I don't believe suricata
currently has this feature.  Snort has a portscan preprocessor that can
be used to do this (I think).  See:


Ideally you should only have a few ports open on your DMZ, so I
personally would recommend just writing a few suricata rules as I
described for whatever ports are exposed at your border.

- -Coop

On 7/4/2013 9:17 AM, Michael Hoffrath wrote:
> Hello,
> some time ago i was target of an ddos which has a very simple pattern, the source ip was random and spoofed but for all ddos clients the source and destination port was the same. Is there a way to write a rule that keeps track of source/destination port combinations and triggers if any combination happens several times?
> The problem is, that i don't know which source/destination port combination is used, so i can't use "alert any $SRC_PORT -> $DST $DST_PORT"
> Kind Regards
> Michael
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/

- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/


More information about the Oisf-users mailing list