Hello! Could you please explain, how can i calculate only flow (sessions)?
I tried use:
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"To many connection"; flow:to_server, established; threshold: type threshold, track by_src, count 20, seconds 5; cl
asstype:ddos; sid:2000003;)
But this rule calculate all packets in flow.
I tried use with content: " ":
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"To many connection"; flow:to_server, established; content: " "; threshold: type threshold, track by_src, count 1, seconds 5; cl
asstype:ddos; sid:2000003;)
)
and it’s work. But this will only work for unencrypted traffic. Maybe there are built-in flow counting tools?