[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Alert DoS

To: hobbit (at) hswn.dk
Subject: Alert DoS
From: Rodolfo Pilas <rodolfo (at) pilas.net>
Date: Mon, 24 Nov 2008 22:06:43 -0200

Is there are any way that I can alert when a IP establish more than X
connections with my host?

I use this line to obtain port 80 connections:

netstat -tan | egrep 170.53.[0-9]*.[0-9]*:80 | grep -v TIME_WAIT | \
cut -c 45-66 | cut -d : -f 1 | sort -n | uniq -c | sort -n

and obtain output like this:

      1 191.78.192.30
      1 209.125.58.188
      2 170.51.33.42
      2 193.108.7.164
      2 193.134.36.229
      2 193.134.39.89
      5 193.132.83.232
      8 193.134.162.85

My strart point was:

PORT "LOCAL=%([.:]80)$" "REMOTE=*"(uniq -c) state=(ESTABLISHED|SYN_RECV)
min=0 max=20 

Thank you for any help.

Regards,
Rodolfo Pilas

Prev by Date: bbwin missing network interfaces in clientdata/ifstat
Next by Date: RE: [hobbit] How to validate SSL server certificate?
Previous by thread: bbwin missing network interfaces in clientdata/ifstat
Next by thread: Alert Script doesnt work!!!
Index(es):
- Date
- Thread