[Snort-users] Snort Sigature based on time

Jason security at ...5028...
Tue Sep 17 15:51:01 EDT 2002


This capability was added on 8/26 by the looks of the changelog.

2002-08-26  mfr	<roesch at ...1935...>
    * src/threshold.c src/threshold.h src/detect.c src/rules.h src/parser.c
	added thresholds to snort rules language, docs to come

I haven't had a chance to check it out and there are no docs on it yet but the basic capability 

should be there to do just what you are looking for. 

http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/snort/snort/src/threshold.c?rev=1.1&content-type=text/vnd.viewcvs-ma

from there looks like this as a rule option for you would look like

threshold:5,ip
 you could also do it by event or port

the blocking part can be taken up as a react or resp or you can do the firewall reconfig stuff but the list 
will happily speak to the dangers there.

Jason

Ellis Corey wrote:

>Hi,
>
>I would like to know how to write a signature to catch the following
>scenario.
>
>a user sending multiple valid HTTP request to a web server from the same IP
>in a given time frame (say 20 identical requests in 5 secs).  I want to
>block this ip, if this scenario happens.   I have a string I can look for in
>the HTTP header also "WebRegistration".  We are getting bombarded by user
>WebRegistrations from this one user.  When you block his ip, he just
>switches it, and uses another one.  I want to see if Snort can automate this
>detection and block the requests on the fly.
>
>
>Can it be done. 
>
>
>Thanks
>
>
>-------------------------------------------------------
>This SF.NET email is sponsored by: AMD - Your access to the experts
>on Hammer Technology! Open Source & Linux Developers, register now
>for the AMD Developer Symposium. Code: EX8664
>http://www.developwithamd.com/developerlab
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>  
>







More information about the Snort-users mailing list