[hobbit] monitoring number of simultaneos connection
Jerry Yu
jjj863 at gmail.com
Wed Sep 27 09:46:49 CEST 2006
unless this IP is fixed & pre-known, I am not aware of PORTS capable of
counting of SYN_RECV grouped by SRCIP, as in "select count(*) from
TCPstateTable where state="SYN_RECV" and dstTuple="151.8.36.12:80" group by
SRCIP".
Currently I use PORTS to generate alerts and track total counts of TIME_WAIT
for a database server's TCP service.
On 9/26/06, Roberto Tagliaferri <r.tagliaferri at tosnet.it> wrote:
>
> Is there a way to monitor the number of simultaneous open port from the
> same ip?
> I need to alert when an (stupid...) attacker send a thing like this
>
> tcp 0 0 151.8.36.12:80 206.225.82.32:9654
> SYN_RECV
> tcp 0 0 151.8.36.12:80 206.225.82.32:63256
> SYN_RECV
> tcp 0 0 151.8.36.12:80 206.225.82.32:11611
> SYN_RECV
> tcp 0 0 151.8.36.12:80 206.225.82.32:55544
> SYN_RECV
> tcp 0 0 151.8.36.12:80 206.225.82.32:55045
> SYN_RECV
> tcp 0 0 151.8.36.12:80 206.225.82.32:949
> SYN_RECV
> tcp 0 0 151.8.36.12:80 206.225.82.32:19880
> SYN_RECV
> tcp 0 0 151.8.36.12:80 206.225.82.32:13331
> SYN_RECV
> tcp 0 0 151.8.36.12:80 206.225.82.32:31280
> SYN_RECV
> tcp 0 0 151.8.36.12:80 206.225.82.32:44500
> SYN_RECV
> tcp 0 0 151.8.36.12:80 206.225.82.32:11909
> SYN_RECV
> tcp 0 0 151.8.36.12:80 206.225.82.32:58313
> SYN_RECV
> tcp 0 0 151.8.36.12:80 206.225.82.32:47932
> SYN_RECV
> tcp 0 0 151.8.36.12:80 206.225.82.32:15468
> SYN_RECV
> tcp 0 0 151.8.36.12:80 206.225.82.32:2060
> SYN_RECV
> tcp 0 0 151.8.36.12:80 206.225.82.32:56875
> SYN_RECV
> tcp 0 0 151.8.36.12:80 206.225.82.32:45630
> SYN_RECV
>
>
> --
> Roberto Tagliaferri
> Responsabile Progettazione & Produzione
> TosNet s.r.l. - Internet Service Provider
> r.tagliaferri at tosnet.it
> www.tosnet.it
>
>
> To unsubscribe from the hobbit list, send an e-mail to
> hobbit-unsubscribe at hswn.dk
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20060927/cc0d7d5b/attachment.html>
More information about the Xymon
mailing list