[Snort-users] Detecting benchmarks
erek at ...577...
Wed May 8 22:02:02 EDT 2002
On Wed, 8 May 2002, Pawel Rogocz wrote:
> let's put it this way: If someone sends me 1000+ http requests from the same
> IP in one minute I would like to know about it.
Certes. I can understand that.
> Can one of snort's modules generate alert when something like this happens ?
Hrm... Only thing that I can think of would b the portscan pre-processor.
> I do not care about signatures of the attack. These requests might be valid
> HTTP requests. There is plenty of broken proxy servers out there. What I am
> concerned with, is the number of these requests.
Yeppers. Makes good sense.
> I would imagine the portscan module could trigger an alert upon seeing 1000+
> SYN packets going to the same IP/port in a very short time ...
More information about the Snort-users