Port Monitoring
list Paul Moore
Is there a way to setup hobbit's port monitoring to alert when a specific device has X number of established connections on particular port? IE alerting when one client has 20 sessions connected to port 80 signifying a DOS attack? Paul Moore V966-5159 MSO OSS Support -=-=-=-=-= Pinky, Are You Pondering What I'm Pondering? Well, I think so Brain but if Jimmy cracks corn and no one cares, why does he keep doing it?
list David Gore
▸
Paul Moore wrote:
Is there a way to setup hobbit's port monitoring to alert when a specific device has X number of established connections on particular port? IE alerting when one client has 20 sessions connected to port 80 signifying a DOS attack?
hobbit-clients.cfg: HOST=myDOSTarget PORT REMOTE=%x.x.x.X.nnn STATE=ESTABLISHED MIN=1 MAX=20
▸
Paul Moore V966-5159 MSO OSS Support -=-=-=-=-= Pinky, Are You Pondering What I'm Pondering? Well, I think so Brain but if Jimmy cracks corn and no one cares, why does he keep doing it?
list Paul Moore
That works good if you know who is going to be hitting you but I would like to detect unknown clients. Paul - v966-5159 -=-=- Are You Pondering What I'm Pondering? I think so Brain, but, snort, no, no, it's too stupid.
▸
-----Original Message-----
From: David Gore [mailto:user-3e5761c68b56@xymon.invalid] Sent: Monday, November 06, 2006 2:50 PM
To: user-ae9b8668bcde@xymon.invalid
Subject: Re: [hobbit] Port Monitoring
Paul Moore wrote:Is there a way to setup hobbit's port monitoring to alert when a specific device has X number of established connections on particular port? IE alerting when one client has 20 sessions connected to port 80 signifying a DOS attack?
hobbit-clients.cfg: HOST=myDOSTarget PORT REMOTE=%x.x.x.X.nnn STATE=ESTABLISHED MIN=1 MAX=20
Paul Moore V966-5159 MSO OSS Support -=-=-=-=-= Pinky, Are You Pondering What I'm Pondering? Well, I think so Brain but if Jimmy cracks corn and no one cares, why does he keep doing it?