Re: [Emerging-Sigs] Creating Potential DOS HTTP sig

[Kevin Ross <kevross33 () googlemail com>]

Oh sorry missed that. yes don't use flow:established but still used
flow:to_server;.

The thing is if you go with just matching all traffic in a short space of
time you will match everything from that source; even worse if users are
behind a NAT and all of them using site. Matching on individual connections
is better. Although if you are defending a website against DOS and attacks
you may be better implementing the apache modules mod_security and
mod_evasive. This can be run on server but also for mod_security it can be
run as a reverse proxy.

https://modsecurity.org/

Regards,
Kevin

On 16 January 2013 18:16, PAURON, GUILLAUME (GUILLAUME) <
guillaume.pauron () alcatel-lucent com> wrote:

> **
> Hello,
>
> The flags:S is not contradictory with the flow:establised,to_server ?
>
> I do not know what is the better : detect the attempt with SYN ("flags S")
> or the connections established ("flow:establised,to_server")
>
> Maybe it will be better for perfs to use "flags S" ?
>
> Regards,
>
>  ------------------------------
> *De :* Kevin Ross [mailto:kevross33 () googlemail com]
> *Envoyé :* mercredi 16 janvier 2013 17:27
> *À :* PAURON, GUILLAUME (GUILLAUME); emerging-sigs () emergingthreats net
> *Objet :* Re: [Emerging-Sigs] Creating Potential DOS HTTP sig
>
> Depends what you are trying to detect. I take it you are trying to detect
> a lot of individual connections? If so you need to look for SYN for the new
> connection.
>
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg"Potential
> DOS : Unuasually Fast HTTP Attempt"; flow:establised,to_server;* flags:S;*threshold: type threshold, track by_src, 
> count 400, seconds 10;
> sid:3000003; rev:1;)
>
>
> On 16 January 2013 13:07, PAURON, GUILLAUME (GUILLAUME) <
> guillaume.pauron () alcatel-lucent com> wrote:
>
> > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg"Potential
> > DOS : Unuasually Fast HTTP Attempt"; flow:establised,to_server; threshold:
> > type threshold, track by_src, count 400, seconds 10; sid:3000003; rev:1;)
------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnmore_123012

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!