[Snort-sigs] HTTP Get Flood

Mohammad Rastgoo mohammad at ...4014...
Sun Feb 15 11:03:27 EST 2015


Hi,

This is it:

  Srv PID Acc M CPU SS Req Conn Child Slot Client VHost Request  0-1 21953
0/75/3739 _ 0.87 3 128 0 0.28 42.46 92.50.31.242 www.domain.com:80 GET
/moon HTTP/1.1  1-May 21977 1/39/3034 K 0.98 9 93 0.7 0.31 36.24
92.50.31.242 www.domain.com:80 GET /moon HTTP/1.1  13-1 21241 0/168/3311 _
2.17 2 130 0 0.41 45.39 46.209.70.74 www.domain.com:80 GET /moon HTTP/1.1
15-1 22114 ######## K 0.18 11 93 0.7 0.05 20.92 46.209.70.74
www.domain.com:80 GET /moon HTTP/1.1  16-1 22186 0/14/3072 _ 0.63 11 88 0
0.1 32.13 46.209.70.74 www.domain.com:80 GET /moon HTTP/1.1  19-1 20925
0/114/2514 _ 2.49 12 88 0 0.35 30.51 46.209.70.74 www.domain.com:80 GET
/moon HTTP/1.1  20-1 22275 0/3/3303 _ 0.3 5 129 0 0.02 31.76 46.209.13.250
www.domain.com:80 GET /moon HTTP/1.1

On Sun, Feb 15, 2015 at 9:00 AM, Al Lewis (allewi) <allewi at ...3865...> wrote:

>  Hello,
>
>
>
>                 Can you provide a sample of the rule/conf you are trying
> to use as well as a pcap of the offending traffic?
>
>
>
> The section on uricontent is here:
> http://manual.snort.org/node32.html#SECTION004523000000000000000
>
>
>
> Make sure you are not trying to match on content before its normalized as
> listed in the manual:
>
>
>
> “The uricontent keyword in the Snort rule language searches the NORMALIZED
> request URI field. This is equivalent to using the http_uri modifier to a
> content keyword. As such if you are writing rules that include things that
> are normalized, such as %2f or directory traversals, these rules will not
> alert.”
>
>
>
>
>
> Hope this helps.
>
>
>
>
>
> Albert Lewis
>
> QA Software Engineer
>
> SOURCE*fire*, Inc. now part of *Cisco*
>
> 9780 Patuxent Woods Drive
> Columbia, MD 21046
>
> Phone: (office) 443.430.7112
>
> Email: allewi at ...3865...
>
>
>
> *From:* Mohammad Rastgoo [mailto:mohammad at ...4014...]
> *Sent:* Saturday, February 14, 2015 7:42 PM
> *To:* snort-sigs at lists.sourceforge.net
> *Subject:* [Snort-sigs] HTTP Get Flood
>
>
>
>
>  Hi,
>
> Thanks for reading this.
>
> My site has been receiving attacks for a while now and I've been able to
> stop them using snort + pfsense. Most of them were stopped just by using
> uri-content in the rule.
>
> Today I've been receiving Get attacks on the main page. It really seems
> too simple but any rule I have tried has not blocked any IP addresses.
>
> Would someone please guide me to the right direction?
>
> Thanks
>



-- 
Mohammad Rastgoo
Founder & CEO
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20150215/13e70fe5/attachment.html>


More information about the Snort-sigs mailing list