Snort mailing list archives
Re: Snort Sigature based on time
From: Jason <security () brvenik com>
Date: Tue, 17 Sep 2002 18:49:29 -0400
This capability was added on 8/26 by the looks of the changelog. 2002-08-26 mfr <roesch () sourcefire com> * src/threshold.c src/threshold.h src/detect.c src/rules.h src/parser.c added thresholds to snort rules language, docs to come I haven't had a chance to check it out and there are no docs on it yet but the basic capability should be there to do just what you are looking for. http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/snort/snort/src/threshold.c?rev=1.1&content-type=text/vnd.viewcvs-ma from there looks like this as a rule option for you would look like threshold:5,ip you could also do it by event or port the blocking part can be taken up as a react or resp or you can do the firewall reconfig stuff but the list will happily speak to the dangers there. Jason Ellis Corey wrote:
Hi, I would like to know how to write a signature to catch the following scenario. a user sending multiple valid HTTP request to a web server from the same IP in a given time frame (say 20 identical requests in 5 secs). I want to block this ip, if this scenario happens. I have a string I can look for in the HTTP header also "WebRegistration". We are getting bombarded by user WebRegistrations from this one user. When you block his ip, he just switches it, and uses another one. I want to see if Snort can automate this detection and block the requests on the fly. Can it be done. Thanks ------------------------------------------------------- This SF.NET email is sponsored by: AMD - Your access to the experts on Hammer Technology! Open Source & Linux Developers, register now for the AMD Developer Symposium. Code: EX8664 http://www.developwithamd.com/developerlab _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.NET email is sponsored by: AMD - Your access to the experts on Hammer Technology! Open Source & Linux Developers, register now for the AMD Developer Symposium. Code: EX8664 http://www.developwithamd.com/developerlab _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort Sigature based on time Ellis Corey (Sep 17)
- Re: Snort Sigature based on time Jason (Sep 17)
- Re: Snort Sigature based on time twig les (Sep 18)
- Re: Snort Sigature based on time Jason (Sep 18)
- Re: Snort Sigature based on time twig les (Sep 18)
- Re: Snort Sigature based on time Jason (Sep 17)