[Snort-users] Snort Inline

Xavier Cabrera xavierc at ...12882...
Mon Jun 6 14:44:58 EDT 2005


I put your line on my iptables.. and don't work...  icmp works good for 
me there some other reasons do you have?

Thanks...

Xavier C.

Victor Julien wrote:

>On Monday 06 June 2005 21:14, Xavier Cabrera wrote:
>  
>
>>Hello:
>>
>>Anyone have a rule to stop a DoS attack to apache whit snort inline?
>>
>>i Have this rule:
>>
>>drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"XavierC  Try
>>to stop http DOS Attack";  flags:S; threshold: type both, track by_src,
>>count 5, seconds 1; classtype:misc-activity; sid:3000000; rev:1;)
>>
>>and this on iptables table INPUT:
>>
>>QUEUE      tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80
>>
>>    
>>
>
>Snort_inline needs to see the outgoing traffic as well, so add the following 
>iptables rule:
>'iptables -A OUTPUT -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 --sport 80 -j QUEUE'
>
>Now it should work!
>
>Regards,
>Victor
>
>
>  
>
>>is seem stop some connections:
>>
>>[**] [1:3000000:1] XavierC  Try to stop http DOS Attack [**]
>>[Classification: Misc activity] [Priority: 3]
>>06/06-15:09:05.789134 213.168.19.34:3440 -> 207.58.187.4:80
>>TCP TTL:118 TOS:0x0 ID:34857 IpLen:20 DgmLen:48 DF
>>******S* Seq: 0x590907AD  Ack: 0x0  Win: 0xFAF0  TcpLen: 28
>>TCP Options (4) => MSS: 1460 NOP NOP SackOK
>>
>>[**] [1:3000000:1] XavierC  Try to stop http DOS Attack [**]
>>[Classification: Misc activity] [Priority: 3]
>>06/06-15:09:05.926906 61.211.140.68:32966 -> 207.58.187.4:80
>>TCP TTL:117 TOS:0x0 ID:256 IpLen:20 DgmLen:44
>>******S* Seq: 0x17B00000  Ack: 0x0  Win: 0x4000  TcpLen: 24
>>TCP Options (1) => MSS: 1400
>>
>>
>>but when i want to make a real connection for a good ip i can't see the
>>website....... and no log appears for the good ip!!!
>>
>>What can be happend?
>>
>>thanks every one.
>>
>>Xavier C.
>>
>>
>>
>>-------------------------------------------------------
>>This SF.Net email is sponsored by: NEC IT Guy Games.  How far can you
>>shotput a projector? How fast can you ride your desk chair down the office
>>luge track? If you want to score the big prize, get to know the little guy.
>>Play to win an NEC 61" plasma display: http://www.necitguy.com/?r=20
>>_______________________________________________
>>Snort-users mailing list
>>Snort-users at lists.sourceforge.net
>>Go to this URL to change user options or unsubscribe:
>>https://lists.sourceforge.net/lists/listinfo/snort-users
>>Snort-users list archive:
>>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>    
>>
>
>
>-------------------------------------------------------
>This SF.Net email is sponsored by: NEC IT Guy Games.  How far can you shotput
>a projector? How fast can you ride your desk chair down the office luge track?
>If you want to score the big prize, get to know the little guy.  
>Play to win an NEC 61" plasma display: http://www.necitguy.com/?r=20
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>  
>





More information about the Snort-users mailing list