[Snort-sigs] HTTP Get Flood
Al Lewis (allewi)
allewi at ...3865...
Sun Feb 15 09:00:23 EST 2015
Can you provide a sample of the rule/conf you are trying to use as well as a pcap of the offending traffic?
The section on uricontent is here: http://manual.snort.org/node32.html#SECTION004523000000000000000
Make sure you are not trying to match on content before its normalized as listed in the manual:
“The uricontent keyword in the Snort rule language searches the NORMALIZED request URI field. This is equivalent to using the http_uri modifier to a content keyword. As such if you are writing rules that include things that are normalized, such as %2f or directory traversals, these rules will not alert.”
Hope this helps.
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi at ...3865...
From: Mohammad Rastgoo [mailto:mohammad at ...4014...]
Sent: Saturday, February 14, 2015 7:42 PM
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] HTTP Get Flood
Thanks for reading this.
My site has been receiving attacks for a while now and I've been able to stop them using snort + pfsense. Most of them were stopped just by using uri-content in the rule.
Today I've been receiving Get attacks on the main page. It really seems too simple but any rule I have tried has not blocked any IP addresses.
Would someone please guide me to the right direction?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs