[Snort-users] Snort Inline
mkettler at ...4108...
Mon Jun 6 12:26:20 EDT 2005
Xavier Cabrera wrote:
> Anyone have a rule to stop a DoS attack to apache whit snort inline?
> i Have this rule:
> drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"XavierC Try
> to stop http DOS Attack"; flags:S; threshold: type both, track by_src,
> count 5, seconds 1; classtype:misc-activity; sid:3000000; rev:1;)
> but when i want to make a real connection for a good ip i can't see the
> website....... and no log appears for the good ip!!!
> What can be happend?
I don't know why you didn't get a log, but 5 connections per second is an
outrageously low threshold. Try 20 or 30 as a bare minimum.
Many web browsers will open every embedded element of your page simultaneously,
or in batches of 5 at a time and new ones are fired off as fast as the previous
batch finishes. Each element of the page usually gets its own connection, so If
you've got a page with 100 images on it, that's 100 connections.
More information about the Snort-users