[Snort-users] Snort Sigature based on time

Jason security at ...5028...
Wed Sep 18 13:17:07 EDT 2002


Instead of blocking and causing a DoS to yourself snort can \send resets 
to the specific connection once identified or send back a denied content 
page. Identifying the abuser should be possible with thresholding. THis 
happens once ot twice and I would expect them to give up or slow down 
considerably.

twig les wrote:

>We've gone thru this scenario at my work with
>Netrangers (they can update Cisco acls).  We don't
>like it.  Basically it can work if you have a
>bleed-off period (like BGP flaps) and a list of IPs
>that can never be blocked (root nameservers for
>example).
>
>Still, it's possible to DoS yourself.  
>
>
>--- Jason <security at ...5028...> wrote:
>  
>
>>This capability was added on 8/26 by the looks of
>>the changelog.
>>
>>2002-08-26  mfr	<roesch at ...1935...>
>>    * src/threshold.c src/threshold.h src/detect.c
>>src/rules.h src/parser.c
>>	added thresholds to snort rules language, docs to
>>come
>>
>>I haven't had a chance to check it out and there are
>>no docs on it yet but the basic capability 
>>
>>should be there to do just what you are looking for.
>>
>>
>>
>>    
>>
>http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/snort/snort/src/threshold.c?rev=1.1&content-type=text/vnd.viewcvs-ma
>  
>
>>from there looks like this as a rule option for you
>>would look like
>>
>>threshold:5,ip
>> you could also do it by event or port
>>
>>the blocking part can be taken up as a react or resp
>>or you can do the firewall reconfig stuff but the
>>list 
>>will happily speak to the dangers there.
>>
>>Jason
>>
>>Ellis Corey wrote:
>>
>>    
>>
>>>Hi,
>>>
>>>I would like to know how to write a signature to
>>>      
>>>
>>catch the following
>>    
>>
>>>scenario.
>>>
>>>a user sending multiple valid HTTP request to a web
>>>      
>>>
>>server from the same IP
>>    
>>
>>>in a given time frame (say 20 identical requests in
>>>      
>>>
>>5 secs).  I want to
>>    
>>
>>>block this ip, if this scenario happens.   I have a
>>>      
>>>
>>string I can look for in
>>    
>>
>>>the HTTP header also "WebRegistration".  We are
>>>      
>>>
>>getting bombarded by user
>>    
>>
>>>WebRegistrations from this one user.  When you
>>>      
>>>
>>block his ip, he just
>>    
>>
>>>switches it, and uses another one.  I want to see
>>>      
>>>
>>if Snort can automate this
>>    
>>
>>>detection and block the requests on the fly.
>>>
>>>
>>>Can it be done. 
>>>
>>>
>>>Thanks
>>>
>>>
>>>      
>>>
>>-------------------------------------------------------
>>    
>>
>>>This SF.NET email is sponsored by: AMD - Your
>>>      
>>>
>>access to the experts
>>    
>>
>>>on Hammer Technology! Open Source & Linux
>>>      
>>>
>>Developers, register now
>>    
>>
>>>for the AMD Developer Symposium. Code: EX8664
>>>http://www.developwithamd.com/developerlab
>>>_______________________________________________
>>>Snort-users mailing list
>>>Snort-users at lists.sourceforge.net
>>>Go to this URL to change user options or
>>>      
>>>
>>unsubscribe:
>>
>>https://lists.sourceforge.net/lists/listinfo/snort-users
>>    
>>
>>>Snort-users list archive:
>>>      
>>>
>>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>    
>>
>>> 
>>>
>>>      
>>>
>>
>>
>>
>>
>>    
>>
>-------------------------------------------------------
>  
>
>>This SF.NET email is sponsored by: AMD - Your access
>>to the experts
>>on Hammer Technology! Open Source & Linux
>>Developers, register now
>>for the AMD Developer Symposium. Code: EX8664
>>http://www.developwithamd.com/developerlab
>>_______________________________________________
>>Snort-users mailing list
>>Snort-users at lists.sourceforge.net
>>Go to this URL to change user options or
>>unsubscribe:
>>
>>    
>>
>https://lists.sourceforge.net/lists/listinfo/snort-users
>  
>
>>Snort-users list archive:
>>
>>    
>>
>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>=====
>-----------------------------------------------------------
>Heavy metal made me do it.                        
>-----------------------------------------------------------
>
>__________________________________________________
>Do You Yahoo!?
>Yahoo! Health - Feel better, live better
>http://health.yahoo.com
>
>  
>





More information about the Snort-users mailing list