[Snort-sigs] HTTP Get Flood

Al Lewis (allewi) allewi at ...3865...
Sun Feb 15 14:41:04 EST 2015


Hello,

                Thanks for that log but can you provide the traffic in PCAP format so that it can replayed/ tested against?


Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi at ...3865...

From: Mohammad Rastgoo [mailto:mohammad at ...4014...]
Sent: Sunday, February 15, 2015 11:03 AM
To: Al Lewis (allewi)
Cc: snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] HTTP Get Flood

Hi,

This is it:
Srv

PID

Acc

M

CPU

SS

Req

Conn

Child

Slot

Client

VHost

Request

0-1

21953

0/75/3739

_

0.87

3

128

0

0.28

42.46

92.50.31.242

www.domain.com:80<http://www.domain.com:80>

GET /moon HTTP/1.1

1-May

21977

1/39/3034

K

0.98

9

93

0.7

0.31

36.24

92.50.31.242

www.domain.com:80<http://www.domain.com:80>

GET /moon HTTP/1.1

13-1

21241

0/168/3311

_

2.17

2

130

0

0.41

45.39

46.209.70.74

www.domain.com:80<http://www.domain.com:80>

GET /moon HTTP/1.1

15-1

22114

########

K

0.18

11

93

0.7

0.05

20.92

46.209.70.74

www.domain.com:80<http://www.domain.com:80>

GET /moon HTTP/1.1

16-1

22186

0/14/3072

_

0.63

11

88

0

0.1

32.13

46.209.70.74

www.domain.com:80<http://www.domain.com:80>

GET /moon HTTP/1.1

19-1

20925

0/114/2514

_

2.49

12

88

0

0.35

30.51

46.209.70.74

www.domain.com:80<http://www.domain.com:80>

GET /moon HTTP/1.1

20-1

22275

0/3/3303

_

0.3

5

129

0

0.02

31.76

46.209.13.250

www.domain.com:80<http://www.domain.com:80>

GET /moon HTTP/1.1



On Sun, Feb 15, 2015 at 9:00 AM, Al Lewis (allewi) <allewi at ...3865...<mailto:allewi at ...3865...>> wrote:
Hello,

                Can you provide a sample of the rule/conf you are trying to use as well as a pcap of the offending traffic?

The section on uricontent is here: http://manual.snort.org/node32.html#SECTION004523000000000000000

Make sure you are not trying to match on content before its normalized as listed in the manual:

“The uricontent keyword in the Snort rule language searches the NORMALIZED request URI field. This is equivalent to using the http_uri modifier to a content keyword. As such if you are writing rules that include things that are normalized, such as %2f or directory traversals, these rules will not alert.”


Hope this helps.


Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112<tel:443.430.7112>
Email: allewi at ...3865...<mailto:allewi at ...3865...>

From: Mohammad Rastgoo [mailto:mohammad at ...4014...<mailto:mohammad at ...4014...>]
Sent: Saturday, February 14, 2015 7:42 PM
To: snort-sigs at lists.sourceforge.net<mailto:snort-sigs at lists.sourceforge.net>
Subject: [Snort-sigs] HTTP Get Flood


Hi,
Thanks for reading this.
My site has been receiving attacks for a while now and I've been able to stop them using snort + pfsense. Most of them were stopped just by using uri-content in the rule.
Today I've been receiving Get attacks on the main page. It really seems too simple but any rule I have tried has not blocked any IP addresses.
Would someone please guide me to the right direction?

Thanks



--
Mohammad Rastgoo
Founder & CEO
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20150215/e82e3521/attachment.html>


More information about the Snort-sigs mailing list