[Snort-users] Help with Snort rule - httpd flood detection

Scott / NightStorm NightStorm_Draco at ...13096...
Mon Feb 28 17:28:48 EST 2005


If I knew where to even start, I would do so... why I was hoping for some 
help from the list.
So far, I've found nothing, so I'm lost on it.
Thus far, the only content that is consistent throughout the various attacks 
are the fact that all the various bots all hit the exact same spot all at 
once.. nothing else is consistent from one attack to the next (other than 
the sender).

----- Original Message ----- 
From: "Jeremy Hewlett" <jh at ...1935...>
To: <snort-users at lists.sourceforge.net>
Sent: Monday, February 28, 2005 1:44 PM
Subject: Re: [Snort-users] Help with Snort rule - httpd flood detection


> On Sat, Feb 26, NightStorm wrote:
>>
>>    What  I  am  hoping  to  do  is somehow get Snort to recognise massive
>>    queries  to a specified page, and then trigger a rule.  Unfortunately,
>
> Have you tried creating your own rule, looking for whatever content,
> and putting a threshold of type "Both" on it? 





More information about the Snort-users mailing list