[Snort-sigs] HTTP Get Flood

Al Lewis (allewi) allewi at ...3865...
Sun Feb 15 09:00:23 EST 2015


Hello,

                Can you provide a sample of the rule/conf you are trying to use as well as a pcap of the offending traffic?

The section on uricontent is here: http://manual.snort.org/node32.html#SECTION004523000000000000000

Make sure you are not trying to match on content before its normalized as listed in the manual:

“The uricontent keyword in the Snort rule language searches the NORMALIZED request URI field. This is equivalent to using the http_uri modifier to a content keyword. As such if you are writing rules that include things that are normalized, such as %2f or directory traversals, these rules will not alert.”


Hope this helps.


Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi at ...3865...

From: Mohammad Rastgoo [mailto:mohammad at ...4014...]
Sent: Saturday, February 14, 2015 7:42 PM
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] HTTP Get Flood


Hi,
Thanks for reading this.
My site has been receiving attacks for a while now and I've been able to stop them using snort + pfsense. Most of them were stopped just by using uri-content in the rule.
Today I've been receiving Get attacks on the main page. It really seems too simple but any rule I have tried has not blocked any IP addresses.
Would someone please guide me to the right direction?

Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20150215/32bc839f/attachment.html>


More information about the Snort-sigs mailing list