[Snort-users] Detecting benchmarks

Pawel Rogocz pawel at ...5803...
Fri May 10 02:43:02 EDT 2002


Erek,

I did some more testing using hping2.
If I run hping -p 80 -i u3000 -S MYIP
it will send 300 SYN pkts/sec to the same port (80),
but snort will not say a word. Only after I start hitting ^Z
which changes the destination port, spp_portscan will notice something is
going on :-(

Pawel



----- Original Message -----
From: "Erek Adams" <erek at ...577...>
To: "Pawel Rogocz" <pawel at ...5803...>
Cc: <snort-users at lists.sourceforge.net>
Sent: Wednesday, May 08, 2002 10:01 PM
Subject: Re: [Snort-users] Detecting benchmarks


> On Wed, 8 May 2002, Pawel Rogocz wrote:
>
> > let's put it this way: If someone sends me 1000+ http requests from the
same
> > IP in one minute I would like to know about it.
>
> Certes.  I can understand that.
>
> > Can one of snort's modules generate alert when something like this
happens ?
>
> Hrm...  Only thing that I can think of would b the portscan pre-processor.
>
> > I do not care about signatures of the attack. These requests might be
valid
> > HTTP requests. There is plenty of broken proxy servers out there. What I
am
> > concerned with, is the number of these requests.
>
> Yeppers.  Makes good sense.
>
> > I would imagine the portscan module could trigger an alert upon seeing
1000+
> > SYN packets going to the same IP/port in a very short time ...
>
> >From reading the code, it seems that if you pass it thr right 'homenet'
to
> watch and the amount of requests vs. time, then it should.
>
> I'll have to dig in more and see to get a good answer for you.  I'm not a
> coder, I just play one on TV. ;-)
>
> Lemme have a go thru the code and see what I can turn up.
>
> -----
> Erek Adams
> Nifty-Type-Guy
> TheAdamsFamily.Net





More information about the Snort-users mailing list