[Snort-users] Snort Inline

Xavier Cabrera xavierc at ...12882...
Mon Jun 6 12:15:14 EDT 2005


Hello:

Anyone have a rule to stop a DoS attack to apache whit snort inline?

i Have this rule:

drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"XavierC  Try 
to stop http DOS Attack";  flags:S; threshold: type both, track by_src, 
count 5, seconds 1; classtype:misc-activity; sid:3000000; rev:1;)

and this on iptables table INPUT:

QUEUE      tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80

is seem stop some connections:

[**] [1:3000000:1] XavierC  Try to stop http DOS Attack [**]
[Classification: Misc activity] [Priority: 3]
06/06-15:09:05.789134 213.168.19.34:3440 -> 207.58.187.4:80
TCP TTL:118 TOS:0x0 ID:34857 IpLen:20 DgmLen:48 DF
******S* Seq: 0x590907AD  Ack: 0x0  Win: 0xFAF0  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:3000000:1] XavierC  Try to stop http DOS Attack [**]
[Classification: Misc activity] [Priority: 3]
06/06-15:09:05.926906 61.211.140.68:32966 -> 207.58.187.4:80
TCP TTL:117 TOS:0x0 ID:256 IpLen:20 DgmLen:44
******S* Seq: 0x17B00000  Ack: 0x0  Win: 0x4000  TcpLen: 24
TCP Options (1) => MSS: 1400


but when i want to make a real connection for a good ip i can't see the 
website....... and no log appears for the good ip!!!

What can be happend?

thanks every one.

Xavier C.





More information about the Snort-users mailing list