[Snort-users] [Emerging-Sigs] Creating Potential DOS HTTP sig

Russ Combs rcombs at ...1935...
Tue Jan 22 11:16:41 EST 2013


Also check README.filters.  It sounds like a rate_filter on 135:1 or 135:2
may do what you want.

On Sun, Jan 20, 2013 at 12:09 PM, Kevin Ross <kevross33 at ...14012...>wrote:

> Oh sorry missed that. yes don't use flow:established but still used
> flow:to_server;.
>
> The thing is if you go with just matching all traffic in a short space of
> time you will match everything from that source; even worse if users are
> behind a NAT and all of them using site. Matching on individual connections
> is better. Although if you are defending a website against DOS and attacks
> you may be better implementing the apache modules mod_security and
> mod_evasive. This can be run on server but also for mod_security it can be
> run as a reverse proxy.
>
> https://modsecurity.org/
>
> Regards,
> Kevin
>
> On 16 January 2013 18:16, PAURON, GUILLAUME (GUILLAUME) <
> guillaume.pauron at ...14468...> wrote:
>
>> **
>> Hello,
>>
>> The flags:S is not contradictory with the flow:establised,to_server ?
>>
>> I do not know what is the better : detect the attempt with SYN ("flags
>> S") or the connections established ("flow:establised,to_server")
>>
>> Maybe it will be better for perfs to use "flags S" ?
>>
>> Regards,
>>
>>  ------------------------------
>> *De :* Kevin Ross [mailto:kevross33 at ...14012...]
>> *Envoyé :* mercredi 16 janvier 2013 17:27
>> *À :* PAURON, GUILLAUME (GUILLAUME); emerging-sigs at ...14333...
>> *Objet :* Re: [Emerging-Sigs] Creating Potential DOS HTTP sig
>>
>> Depends what you are trying to detect. I take it you are trying to detect
>> a lot of individual connections? If so you need to look for SYN for the new
>> connection.
>>
>> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg"Potential
>> DOS : Unuasually Fast HTTP Attempt"; flow:establised,to_server;* flags:S;
>> * threshold: type threshold, track by_src, count 400, seconds 10;
>> sid:3000003; rev:1;)
>>
>>
>> On 16 January 2013 13:07, PAURON, GUILLAUME (GUILLAUME) <
>> guillaume.pauron at ...14468...> wrote:
>>
>>> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg"Potential
>>> DOS : Unuasually Fast HTTP Attempt"; flow:establised,to_server; threshold:
>>> type threshold, track by_src, count 400, seconds 10; sid:3000003; rev:1;)
>>
>>
>>
>>
>
>
> ------------------------------------------------------------------------------
> Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
> MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
> with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
> MVPs and experts. ON SALE this month only -- learn more at:
> http://p.sf.net/sfu/learnmore_123012
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130122/164ce015/attachment.html>


More information about the Snort-users mailing list