[Snort-users] Detecting benchmarks

Erek Adams erek at ...577...
Wed May 8 22:02:02 EDT 2002


On Wed, 8 May 2002, Pawel Rogocz wrote:

> let's put it this way: If someone sends me 1000+ http requests from the same
> IP in one minute I would like to know about it.

Certes.  I can understand that.

> Can one of snort's modules generate alert when something like this happens ?

Hrm...  Only thing that I can think of would b the portscan pre-processor.

> I do not care about signatures of the attack. These requests might be valid
> HTTP requests. There is plenty of broken proxy servers out there. What I am
> concerned with, is the number of these requests.

Yeppers.  Makes good sense.

> I would imagine the portscan module could trigger an alert upon seeing 1000+
> SYN packets going to the same IP/port in a very short time ...



More information about the Snort-users mailing list