Snort mailing list archives
Re: [Emerging-Sigs] Creating Potential DOS HTTP sig
From: Kevin Ross <kevross33 () googlemail com>
Date: Sun, 20 Jan 2013 17:09:03 +0000
Oh sorry missed that. yes don't use flow:established but still used flow:to_server;. The thing is if you go with just matching all traffic in a short space of time you will match everything from that source; even worse if users are behind a NAT and all of them using site. Matching on individual connections is better. Although if you are defending a website against DOS and attacks you may be better implementing the apache modules mod_security and mod_evasive. This can be run on server but also for mod_security it can be run as a reverse proxy. https://modsecurity.org/ Regards, Kevin On 16 January 2013 18:16, PAURON, GUILLAUME (GUILLAUME) < guillaume.pauron () alcatel-lucent com> wrote:
** Hello, The flags:S is not contradictory with the flow:establised,to_server ? I do not know what is the better : detect the attempt with SYN ("flags S") or the connections established ("flow:establised,to_server") Maybe it will be better for perfs to use "flags S" ? Regards, ------------------------------ *De :* Kevin Ross [mailto:kevross33 () googlemail com] *Envoyé :* mercredi 16 janvier 2013 17:27 *À :* PAURON, GUILLAUME (GUILLAUME); emerging-sigs () emergingthreats net *Objet :* Re: [Emerging-Sigs] Creating Potential DOS HTTP sig Depends what you are trying to detect. I take it you are trying to detect a lot of individual connections? If so you need to look for SYN for the new connection. alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg"Potential DOS : Unuasually Fast HTTP Attempt"; flow:establised,to_server;* flags:S;*threshold: type threshold, track by_src, count 400, seconds 10; sid:3000003; rev:1;) On 16 January 2013 13:07, PAURON, GUILLAUME (GUILLAUME) < guillaume.pauron () alcatel-lucent com> wrote:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg"Potential DOS : Unuasually Fast HTTP Attempt"; flow:establised,to_server; threshold: type threshold, track by_src, count 400, seconds 10; sid:3000003; rev:1;)
------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON SALE this month only -- learn more at: http://p.sf.net/sfu/learnmore_123012
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: [Emerging-Sigs] Creating Potential DOS HTTP sig Kevin Ross (Jan 20)
- Re: [Emerging-Sigs] Creating Potential DOS HTTP sig Russ Combs (Jan 22)