[Snort-users] Detecting benchmarks
pawel at ...5803...
Fri May 10 02:43:02 EDT 2002
I did some more testing using hping2.
If I run hping -p 80 -i u3000 -S MYIP
it will send 300 SYN pkts/sec to the same port (80),
but snort will not say a word. Only after I start hitting ^Z
which changes the destination port, spp_portscan will notice something is
going on :-(
----- Original Message -----
From: "Erek Adams" <erek at ...577...>
To: "Pawel Rogocz" <pawel at ...5803...>
Cc: <snort-users at lists.sourceforge.net>
Sent: Wednesday, May 08, 2002 10:01 PM
Subject: Re: [Snort-users] Detecting benchmarks
> On Wed, 8 May 2002, Pawel Rogocz wrote:
> > let's put it this way: If someone sends me 1000+ http requests from the
> > IP in one minute I would like to know about it.
> Certes. I can understand that.
> > Can one of snort's modules generate alert when something like this
> Hrm... Only thing that I can think of would b the portscan pre-processor.
> > I do not care about signatures of the attack. These requests might be
> > HTTP requests. There is plenty of broken proxy servers out there. What I
> > concerned with, is the number of these requests.
> Yeppers. Makes good sense.
> > I would imagine the portscan module could trigger an alert upon seeing
> > SYN packets going to the same IP/port in a very short time ...
> >From reading the code, it seems that if you pass it thr right 'homenet'
> watch and the amount of requests vs. time, then it should.
> I'll have to dig in more and see to get a good answer for you. I'm not a
> coder, I just play one on TV. ;-)
> Lemme have a go thru the code and see what I can turn up.
> Erek Adams
More information about the Snort-users