[Snort-users] Snort Inline

Matt Kettler mkettler at ...4108...
Mon Jun 6 12:26:20 EDT 2005

Xavier Cabrera wrote:
> Hello:
> Anyone have a rule to stop a DoS attack to apache whit snort inline?
> i Have this rule:
> drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"XavierC  Try
> to stop http DOS Attack";  flags:S; threshold: type both, track by_src,
> count 5, seconds 1; classtype:misc-activity; sid:3000000; rev:1;)

> but when i want to make a real connection for a good ip i can't see the
> website....... and no log appears for the good ip!!!
> What can be happend?

I don't know why you didn't get a log, but 5 connections per second is an
outrageously low threshold. Try 20 or 30 as a bare minimum.

Many web browsers will open every embedded element of your page simultaneously,
or in batches of 5 at a time and new ones are fired off as fast as the previous
batch finishes. Each element of the page usually gets its own connection, so If
you've got a page with 100 images on it, that's 100 connections.

More information about the Snort-users mailing list