Is it even possible to specify into a snort rule the duration of a connection?
For example: in this format Hour, Minute, Second
H, M, S = 0, 2, 1
If a connection that has the duration of 2 minutes and 1 second, then alert.
Or in this sense:
If a connection is longer than 10 seconds, then alert.
How do we implement the idea?
Short answer: no.
Longer answer: If you've got coding chops, you basically need to add a new detection keyword that acts almost exactly like the threshold keyword, except it alerts for any packets after s seconds, rather than c packets within s seconds. This might be appealing if you're already building your sensors from source in your infrastructure. Not that hard -- a number of years ago, I rigged up a build for a customer that would actively reset brute force attacks from a given IP once reaching c count in s seconds.
