[Snort-users] Detecting benchmarks

Pawel Rogocz pawel at ...5803...
Wed May 8 20:48:03 EDT 2002


Erek,

let's put it this way: If someone sends me 1000+ http requests from the same
IP
in one minute I would like to know about it.
Can one of snort's modules generate alert when something like this happens ?
I do not care about signatures of the attack. These requests might be valid
HTTP requests. There is plenty of broken proxy servers out there. What I am
concerned with,  is the number of these requests. I would imagine the
portscan
module could trigger an alert upon seeing 1000+ SYN packets going to the
same IP/port
in a very short time ...

cheers,

Pawel





----- Original Message -----
From: "Erek Adams" <erek at ...577...>
To: "Pawel Rogocz" <pawel at ...5803...>
Cc: <snort-users at lists.sourceforge.net>
Sent: Wednesday, May 08, 2002 2:14 PM
Subject: Re: [Snort-users] Detecting benchmarks


> On Wed, 8 May 2002, Pawel Rogocz wrote:
>
> > I need to be able to detect when a load generator is used against my
site.
> > Let's say someone runs Apache Benchmark or a similar tool.
> > Which processor should I use ?
> > The portscan module does not seem to be picking up these types of
> > attacks .... ( at least not in v 1.8.1 )
>
> First things first:  Get to the most current stable version 1.8.6.  1.8.7
is
> in the second round of beta testing and is very stable, but not 'released'
> yet.
>
> Second:  Define what you really want.  "The portscan module does not seem
to
> be picking up these types of attacks"--What types of attacks?  From what?
> >From where?  To where?  There's a ton of questions to be considered
here...
>
> >From what I'm reading between the lines:  You want to know if someone
uses the
> Apache Benchmark tool to run "beat" on your site.  If that's the case,
> download the tool, run it on your server while dumping the packets, and
then
> see if there is a common signature that you could build a rule for.
>
> Hope that helps some!
>
> -----
> Erek Adams
> Nifty-Type-Guy
> TheAdamsFamily.Net





More information about the Snort-users mailing list