[Snort-users] Snort Sigature based on time

Jason security at ...5028...
Tue Sep 17 15:51:01 EDT 2002

This capability was added on 8/26 by the looks of the changelog.

2002-08-26  mfr	<roesch at ...1935...>
    * src/threshold.c src/threshold.h src/detect.c src/rules.h src/parser.c
	added thresholds to snort rules language, docs to come

I haven't had a chance to check it out and there are no docs on it yet but the basic capability 

should be there to do just what you are looking for. 


from there looks like this as a rule option for you would look like

 you could also do it by event or port

the blocking part can be taken up as a react or resp or you can do the firewall reconfig stuff but the list 
will happily speak to the dangers there.


Ellis Corey wrote:

>I would like to know how to write a signature to catch the following
>a user sending multiple valid HTTP request to a web server from the same IP
>in a given time frame (say 20 identical requests in 5 secs).  I want to
>block this ip, if this scenario happens.   I have a string I can look for in
>the HTTP header also "WebRegistration".  We are getting bombarded by user
>WebRegistrations from this one user.  When you block his ip, he just
>switches it, and uses another one.  I want to see if Snort can automate this
>detection and block the requests on the fly.
>Can it be done. 
>This SF.NET email is sponsored by: AMD - Your access to the experts
>on Hammer Technology! Open Source & Linux Developers, register now
>for the AMD Developer Symposium. Code: EX8664
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:

More information about the Snort-users mailing list