unless this IP is fixed & pre-known, I am not aware of PORTS capable of counting of SYN_RECV grouped by SRCIP, as in "select count(*) from TCPstateTable where state="SYN_RECV" and dstTuple="151.8.36.12:80" group by SRCIP". Currently I use PORTS to generate alerts and track total counts of TIME_WAIT for a database server's TCP service.
On 9/26/06, Roberto Tagliaferri <r.tagliaferri at tosnet.it> wrote:
Is there a way to monitor the number of simultaneous open port from the same ip? I need to alert when an (stupid...) attacker send a thing like this
tcp 0 0 151.8.36.12:80 206.225.82.32:9654 SYN_RECV tcp 0 0 151.8.36.12:80 206.225.82.32:63256 SYN_RECV tcp 0 0 151.8.36.12:80 206.225.82.32:11611 SYN_RECV tcp 0 0 151.8.36.12:80 206.225.82.32:55544 SYN_RECV tcp 0 0 151.8.36.12:80 206.225.82.32:55045 SYN_RECV tcp 0 0 151.8.36.12:80 206.225.82.32:949 SYN_RECV tcp 0 0 151.8.36.12:80 206.225.82.32:19880 SYN_RECV tcp 0 0 151.8.36.12:80 206.225.82.32:13331 SYN_RECV tcp 0 0 151.8.36.12:80 206.225.82.32:31280 SYN_RECV tcp 0 0 151.8.36.12:80 206.225.82.32:44500 SYN_RECV tcp 0 0 151.8.36.12:80 206.225.82.32:11909 SYN_RECV tcp 0 0 151.8.36.12:80 206.225.82.32:58313 SYN_RECV tcp 0 0 151.8.36.12:80 206.225.82.32:47932 SYN_RECV tcp 0 0 151.8.36.12:80 206.225.82.32:15468 SYN_RECV tcp 0 0 151.8.36.12:80 206.225.82.32:2060 SYN_RECV tcp 0 0 151.8.36.12:80 206.225.82.32:56875 SYN_RECV tcp 0 0 151.8.36.12:80 206.225.82.32:45630 SYN_RECV
-- Roberto Tagliaferri Responsabile Progettazione & Produzione TosNet s.r.l. - Internet Service Provider r.tagliaferri at tosnet.it www.tosnet.it
To unsubscribe from the hobbit list, send an e-mail to hobbit-unsubscribe at hswn.dk