[Snort-users] Detecting benchmarks

Pawel Rogocz pawel at ...5803...
Fri May 10 02:43:02 EDT 2002


I did some more testing using hping2.
If I run hping -p 80 -i u3000 -S MYIP
it will send 300 SYN pkts/sec to the same port (80),
but snort will not say a word. Only after I start hitting ^Z
which changes the destination port, spp_portscan will notice something is
going on :-(


----- Original Message -----
From: "Erek Adams" <erek at ...577...>
To: "Pawel Rogocz" <pawel at ...5803...>
Cc: <snort-users at lists.sourceforge.net>
Sent: Wednesday, May 08, 2002 10:01 PM
Subject: Re: [Snort-users] Detecting benchmarks

> On Wed, 8 May 2002, Pawel Rogocz wrote:
> > let's put it this way: If someone sends me 1000+ http requests from the
> > IP in one minute I would like to know about it.
> Certes.  I can understand that.
> > Can one of snort's modules generate alert when something like this
happens ?
> Hrm...  Only thing that I can think of would b the portscan pre-processor.
> > I do not care about signatures of the attack. These requests might be
> > HTTP requests. There is plenty of broken proxy servers out there. What I
> > concerned with, is the number of these requests.
> Yeppers.  Makes good sense.
> > I would imagine the portscan module could trigger an alert upon seeing
> > SYN packets going to the same IP/port in a very short time ...
> >From reading the code, it seems that if you pass it thr right 'homenet'
> watch and the amount of requests vs. time, then it should.
> I'll have to dig in more and see to get a good answer for you.  I'm not a
> coder, I just play one on TV. ;-)
> Lemme have a go thru the code and see what I can turn up.
> -----
> Erek Adams
> Nifty-Type-Guy
> TheAdamsFamily.Net

More information about the Snort-users mailing list