[Snort-users] Snort Sigature based on time

twig les twigles at ...131...
Wed Sep 18 13:06:03 EDT 2002


We've gone thru this scenario at my work with
Netrangers (they can update Cisco acls).  We don't
like it.  Basically it can work if you have a
bleed-off period (like BGP flaps) and a list of IPs
that can never be blocked (root nameservers for
example).

Still, it's possible to DoS yourself.  


--- Jason <security at ...5028...> wrote:
> This capability was added on 8/26 by the looks of
> the changelog.
> 
> 2002-08-26  mfr	<roesch at ...1935...>
>     * src/threshold.c src/threshold.h src/detect.c
> src/rules.h src/parser.c
> 	added thresholds to snort rules language, docs to
> come
> 
> I haven't had a chance to check it out and there are
> no docs on it yet but the basic capability 
> 
> should be there to do just what you are looking for.
> 
> 
>
http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/snort/snort/src/threshold.c?rev=1.1&content-type=text/vnd.viewcvs-ma
> 
> from there looks like this as a rule option for you
> would look like
> 
> threshold:5,ip
>  you could also do it by event or port
> 
> the blocking part can be taken up as a react or resp
> or you can do the firewall reconfig stuff but the
> list 
> will happily speak to the dangers there.
> 
> Jason
> 
> Ellis Corey wrote:
> 
> >Hi,
> >
> >I would like to know how to write a signature to
> catch the following
> >scenario.
> >
> >a user sending multiple valid HTTP request to a web
> server from the same IP
> >in a given time frame (say 20 identical requests in
> 5 secs).  I want to
> >block this ip, if this scenario happens.   I have a
> string I can look for in
> >the HTTP header also "WebRegistration".  We are
> getting bombarded by user
> >WebRegistrations from this one user.  When you
> block his ip, he just
> >switches it, and uses another one.  I want to see
> if Snort can automate this
> >detection and block the requests on the fly.
> >
> >
> >Can it be done. 
> >
> >
> >Thanks
> >
> >
>
>-------------------------------------------------------
> >This SF.NET email is sponsored by: AMD - Your
> access to the experts
> >on Hammer Technology! Open Source & Linux
> Developers, register now
> >for the AMD Developer Symposium. Code: EX8664
> >http://www.developwithamd.com/developerlab
> >_______________________________________________
> >Snort-users mailing list
> >Snort-users at lists.sourceforge.net
> >Go to this URL to change user options or
> unsubscribe:
>
>https://lists.sourceforge.net/lists/listinfo/snort-users
> >Snort-users list archive:
>
>http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> >  
> >
> 
> 
> 
> 
> 
>
-------------------------------------------------------
> This SF.NET email is sponsored by: AMD - Your access
> to the experts
> on Hammer Technology! Open Source & Linux
> Developers, register now
> for the AMD Developer Symposium. Code: EX8664
> http://www.developwithamd.com/developerlab
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or
> unsubscribe:
>
https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
>
http://www.geocrawler.com/redir-sf.php3?list=snort-users


=====
-----------------------------------------------------------
Heavy metal made me do it.                        
-----------------------------------------------------------

__________________________________________________
Do You Yahoo!?
Yahoo! Health - Feel better, live better
http://health.yahoo.com




More information about the Snort-users mailing list