[Snort-users] Snort Inline

Matt Kettler mkettler at ...4108...
Mon Jun 6 12:26:20 EDT 2005


Xavier Cabrera wrote:
> Hello:
> 
> Anyone have a rule to stop a DoS attack to apache whit snort inline?
> 
> i Have this rule:
> 
> drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"XavierC  Try
> to stop http DOS Attack";  flags:S; threshold: type both, track by_src,
> count 5, seconds 1; classtype:misc-activity; sid:3000000; rev:1;)
>
<snip>

> 
> 
> but when i want to make a real connection for a good ip i can't see the
> website....... and no log appears for the good ip!!!
> 
> What can be happend?

I don't know why you didn't get a log, but 5 connections per second is an
outrageously low threshold. Try 20 or 30 as a bare minimum.

Many web browsers will open every embedded element of your page simultaneously,
or in batches of 5 at a time and new ones are fired off as fast as the previous
batch finishes. Each element of the page usually gets its own connection, so If
you've got a page with 100 images on it, that's 100 connections.




More information about the Snort-users mailing list