Snort mailing list archives
Re: Snort Sigature based on time
From: Jason <security () brvenik com>
Date: Wed, 18 Sep 2002 16:18:58 -0400
Instead of blocking and causing a DoS to yourself snort can \send resets to the specific connection once identified or send back a denied content page. Identifying the abuser should be possible with thresholding. THis happens once ot twice and I would expect them to give up or slow down considerably.
twig les wrote:
We've gone thru this scenario at my work with Netrangers (they can update Cisco acls). We don't like it. Basically it can work if you have a bleed-off period (like BGP flaps) and a list of IPs that can never be blocked (root nameservers for example).Still, it's possible to DoS yourself.--- Jason <security () brvenik com> wrote:This capability was added on 8/26 by the looks of the changelog. 2002-08-26 mfr <roesch () sourcefire com> * src/threshold.c src/threshold.h src/detect.c src/rules.h src/parser.c added thresholds to snort rules language, docs to come I haven't had a chance to check it out and there areno docs on it yet but the basic capabilityshould be there to do just what you are looking for.http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/snort/snort/src/threshold.c?rev=1.1&content-type=text/vnd.viewcvs-mafrom there looks like this as a rule option for you would look like threshold:5,ip you could also do it by event or port the blocking part can be taken up as a react or resp or you can do the firewall reconfig stuff but thelist will happily speak to the dangers there.Jason Ellis Corey wrote:Hi, I would like to know how to write a signature tocatch the followingscenario. a user sending multiple valid HTTP request to a webserver from the same IPin a given time frame (say 20 identical requests in5 secs). I want toblock this ip, if this scenario happens. I have astring I can look for inthe HTTP header also "WebRegistration". We aregetting bombarded by userWebRegistrations from this one user. When youblock his ip, he justswitches it, and uses another one. I want to seeif Snort can automate thisdetection and block the requests on the fly.Can it be done.Thanks-------------------------------------------------------This SF.NET email is sponsored by: AMD - Youraccess to the expertson Hammer Technology! Open Source & LinuxDevelopers, register nowfor the AMD Developer Symposium. Code: EX8664 http://www.developwithamd.com/developerlab _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options orunsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users list archive:http://www.geocrawler.com/redir-sf.php3?list=snort-users-------------------------------------------------------This SF.NET email is sponsored by: AMD - Your access to the experts on Hammer Technology! Open Source & Linux Developers, register now for the AMD Developer Symposium. Code: EX8664 http://www.developwithamd.com/developerlab _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe:https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users list archive:http://www.geocrawler.com/redir-sf.php3?list=snort-users ===== -----------------------------------------------------------Heavy metal made me do it. -----------------------------------------------------------__________________________________________________ Do You Yahoo!? Yahoo! Health - Feel better, live better http://health.yahoo.com
------------------------------------------------------- This SF.NET email is sponsored by: AMD - Your access to the experts on Hammer Technology! Open Source & Linux Developers, register now for the AMD Developer Symposium. Code: EX8664 http://www.developwithamd.com/developerlab _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort Sigature based on time Ellis Corey (Sep 17)
- Re: Snort Sigature based on time Jason (Sep 17)
- Re: Snort Sigature based on time twig les (Sep 18)
- Re: Snort Sigature based on time Jason (Sep 18)
- Re: Snort Sigature based on time twig les (Sep 18)
- Re: Snort Sigature based on time Jason (Sep 17)