[Snort-users] Snort Sigature based on time

Ellis Corey Corey.Ellis at ...6932...
Tue Sep 17 14:18:03 EDT 2002


I would like to know how to write a signature to catch the following

a user sending multiple valid HTTP request to a web server from the same IP
in a given time frame (say 20 identical requests in 5 secs).  I want to
block this ip, if this scenario happens.   I have a string I can look for in
the HTTP header also "WebRegistration".  We are getting bombarded by user
WebRegistrations from this one user.  When you block his ip, he just
switches it, and uses another one.  I want to see if Snort can automate this
detection and block the requests on the fly.

Can it be done. 


More information about the Snort-users mailing list