unless this IP is fixed & pre-known, I am not aware of PORTS capable of
counting of SYN_RECV grouped by SRCIP, as in "select count(*) from
TCPstateTable where state="SYN_RECV" and dstTuple="151.8.36.12:80" group by
SRCIP".
Currently I use PORTS to generate alerts and track total counts of TIME_WAIT
for a database server's TCP service.
▸ quoted from Roberto Tagliaferri
On 9/26/06, Roberto Tagliaferri <user-ad26667b6a89@xymon.invalid> wrote:
Is there a way to monitor the number of simultaneous open port from the
same ip?
I need to alert when an (stupid...) attacker send a thing like this
tcp 0 0 151.8.36.12:80 206.225.82.32:9654
SYN_RECV
tcp 0 0 151.8.36.12:80 206.225.82.32:63256
SYN_RECV
tcp 0 0 151.8.36.12:80 206.225.82.32:11611
SYN_RECV
tcp 0 0 151.8.36.12:80 206.225.82.32:55544
SYN_RECV
tcp 0 0 151.8.36.12:80 206.225.82.32:55045
SYN_RECV
tcp 0 0 151.8.36.12:80 206.225.82.32:949
SYN_RECV
tcp 0 0 151.8.36.12:80 206.225.82.32:19880
SYN_RECV
tcp 0 0 151.8.36.12:80 206.225.82.32:13331
SYN_RECV
tcp 0 0 151.8.36.12:80 206.225.82.32:31280
SYN_RECV
tcp 0 0 151.8.36.12:80 206.225.82.32:44500
SYN_RECV
tcp 0 0 151.8.36.12:80 206.225.82.32:11909
SYN_RECV
tcp 0 0 151.8.36.12:80 206.225.82.32:58313
SYN_RECV
tcp 0 0 151.8.36.12:80 206.225.82.32:47932
SYN_RECV
tcp 0 0 151.8.36.12:80 206.225.82.32:15468
SYN_RECV
tcp 0 0 151.8.36.12:80 206.225.82.32:2060
SYN_RECV
tcp 0 0 151.8.36.12:80 206.225.82.32:56875
SYN_RECV
tcp 0 0 151.8.36.12:80 206.225.82.32:45630
SYN_RECV
--
Roberto Tagliaferri
Responsabile Progettazione & Produzione
TosNet s.r.l. - Internet Service Provider
user-ad26667b6a89@xymon.invalid
www.tosnet.it