[Snort-users] Snort Inline

Victor Julien victor at ...12319...
Mon Jun 6 12:22:07 EDT 2005


On Monday 06 June 2005 21:14, Xavier Cabrera wrote:
> Hello:
>
> Anyone have a rule to stop a DoS attack to apache whit snort inline?
>
> i Have this rule:
>
> drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"XavierC  Try
> to stop http DOS Attack";  flags:S; threshold: type both, track by_src,
> count 5, seconds 1; classtype:misc-activity; sid:3000000; rev:1;)
>
> and this on iptables table INPUT:
>
> QUEUE      tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80
>

Snort_inline needs to see the outgoing traffic as well, so add the following 
iptables rule:
'iptables -A OUTPUT -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 --sport 80 -j QUEUE'

Now it should work!

Regards,
Victor


> is seem stop some connections:
>
> [**] [1:3000000:1] XavierC  Try to stop http DOS Attack [**]
> [Classification: Misc activity] [Priority: 3]
> 06/06-15:09:05.789134 213.168.19.34:3440 -> 207.58.187.4:80
> TCP TTL:118 TOS:0x0 ID:34857 IpLen:20 DgmLen:48 DF
> ******S* Seq: 0x590907AD  Ack: 0x0  Win: 0xFAF0  TcpLen: 28
> TCP Options (4) => MSS: 1460 NOP NOP SackOK
>
> [**] [1:3000000:1] XavierC  Try to stop http DOS Attack [**]
> [Classification: Misc activity] [Priority: 3]
> 06/06-15:09:05.926906 61.211.140.68:32966 -> 207.58.187.4:80
> TCP TTL:117 TOS:0x0 ID:256 IpLen:20 DgmLen:44
> ******S* Seq: 0x17B00000  Ack: 0x0  Win: 0x4000  TcpLen: 24
> TCP Options (1) => MSS: 1400
>
>
> but when i want to make a real connection for a good ip i can't see the
> website....... and no log appears for the good ip!!!
>
> What can be happend?
>
> thanks every one.
>
> Xavier C.
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by: NEC IT Guy Games.  How far can you
> shotput a projector? How fast can you ride your desk chair down the office
> luge track? If you want to score the big prize, get to know the little guy.
> Play to win an NEC 61" plasma display: http://www.necitguy.com/?r=20
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list