[Snort-users] [Emerging-Sigs] Creating Potential DOS HTTP sig

Kevin Ross kevross33 at ...14012...
Sun Jan 20 12:09:03 EST 2013


Oh sorry missed that. yes don't use flow:established but still used
flow:to_server;.

The thing is if you go with just matching all traffic in a short space of
time you will match everything from that source; even worse if users are
behind a NAT and all of them using site. Matching on individual connections
is better. Although if you are defending a website against DOS and attacks
you may be better implementing the apache modules mod_security and
mod_evasive. This can be run on server but also for mod_security it can be
run as a reverse proxy.

https://modsecurity.org/

Regards,
Kevin

On 16 January 2013 18:16, PAURON, GUILLAUME (GUILLAUME) <
guillaume.pauron at ...14468...> wrote:

> **
> Hello,
>
> The flags:S is not contradictory with the flow:establised,to_server ?
>
> I do not know what is the better : detect the attempt with SYN ("flags S")
> or the connections established ("flow:establised,to_server")
>
> Maybe it will be better for perfs to use "flags S" ?
>
> Regards,
>
>  ------------------------------
> *De :* Kevin Ross [mailto:kevross33 at ...14012...]
> *Envoyé :* mercredi 16 janvier 2013 17:27
> *À :* PAURON, GUILLAUME (GUILLAUME); emerging-sigs at ...14333...
> *Objet :* Re: [Emerging-Sigs] Creating Potential DOS HTTP sig
>
> Depends what you are trying to detect. I take it you are trying to detect
> a lot of individual connections? If so you need to look for SYN for the new
> connection.
>
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg"Potential
> DOS : Unuasually Fast HTTP Attempt"; flow:establised,to_server;* flags:S;*threshold: type threshold, track by_src, count 400, seconds 10;
> sid:3000003; rev:1;)
>
>
> On 16 January 2013 13:07, PAURON, GUILLAUME (GUILLAUME) <
> guillaume.pauron at ...14468...> wrote:
>
>> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg"Potential
>> DOS : Unuasually Fast HTTP Attempt"; flow:establised,to_server; threshold:
>> type threshold, track by_src, count 400, seconds 10; sid:3000003; rev:1;)
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130120/29f4d9ea/attachment.html>


More information about the Snort-users mailing list