[Snort-users] Detecting benchmarks
pawel at ...5803...
Wed May 8 20:48:03 EDT 2002
let's put it this way: If someone sends me 1000+ http requests from the same
in one minute I would like to know about it.
Can one of snort's modules generate alert when something like this happens ?
I do not care about signatures of the attack. These requests might be valid
HTTP requests. There is plenty of broken proxy servers out there. What I am
concerned with, is the number of these requests. I would imagine the
module could trigger an alert upon seeing 1000+ SYN packets going to the
in a very short time ...
----- Original Message -----
From: "Erek Adams" <erek at ...577...>
To: "Pawel Rogocz" <pawel at ...5803...>
Cc: <snort-users at lists.sourceforge.net>
Sent: Wednesday, May 08, 2002 2:14 PM
Subject: Re: [Snort-users] Detecting benchmarks
> On Wed, 8 May 2002, Pawel Rogocz wrote:
> > I need to be able to detect when a load generator is used against my
> > Let's say someone runs Apache Benchmark or a similar tool.
> > Which processor should I use ?
> > The portscan module does not seem to be picking up these types of
> > attacks .... ( at least not in v 1.8.1 )
> First things first: Get to the most current stable version 1.8.6. 1.8.7
> in the second round of beta testing and is very stable, but not 'released'
> Second: Define what you really want. "The portscan module does not seem
> be picking up these types of attacks"--What types of attacks? From what?
> >From where? To where? There's a ton of questions to be considered
> >From what I'm reading between the lines: You want to know if someone
> Apache Benchmark tool to run "beat" on your site. If that's the case,
> download the tool, run it on your server while dumping the packets, and
> see if there is a common signature that you could build a rule for.
> Hope that helps some!
> Erek Adams
More information about the Snort-users