Re: HTTP Get Flood

["Al Lewis (allewi)" <allewi () cisco com>]

Hello,

                Thanks for that log but can you provide the traffic in PCAP format so that it can replayed/ tested 
against?


Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi () cisco com

From: Mohammad Rastgoo [mailto:mohammad () synapti ca]
Sent: Sunday, February 15, 2015 11:03 AM
To: Al Lewis (allewi)
Cc: snort-sigs () lists sourceforge net
Subject: Re: [Snort-sigs] HTTP Get Flood

Hi,

This is it:
Srv

PID

Acc

M

CPU

SS

Req

Conn

Child

Slot

Client

VHost

Request

0-1

21953

0/75/3739

_

0.87

3

128

0

0.28

42.46

92.50.31.242

www.domain.com:80<http://www.domain.com:80>

GET /moon HTTP/1.1

1-May

21977

1/39/3034

K

0.98

9

93

0.7

0.31

36.24

92.50.31.242

www.domain.com:80<http://www.domain.com:80>

GET /moon HTTP/1.1

13-1

21241

0/168/3311

_

2.17

2

130

0

0.41

45.39

46.209.70.74

www.domain.com:80<http://www.domain.com:80>

GET /moon HTTP/1.1

15-1

22114

########

K

0.18

11

93

0.7

0.05

20.92

46.209.70.74

www.domain.com:80<http://www.domain.com:80>

GET /moon HTTP/1.1

16-1

22186

0/14/3072

_

0.63

11

88

0

0.1

32.13

46.209.70.74

www.domain.com:80<http://www.domain.com:80>

GET /moon HTTP/1.1

19-1

20925

0/114/2514

_

2.49

12

88

0

0.35

30.51

46.209.70.74

www.domain.com:80<http://www.domain.com:80>

GET /moon HTTP/1.1

20-1

22275

0/3/3303

_

0.3

5

129

0

0.02

31.76

46.209.13.250

www.domain.com:80<http://www.domain.com:80>

GET /moon HTTP/1.1



On Sun, Feb 15, 2015 at 9:00 AM, Al Lewis (allewi) <allewi () cisco com<mailto:allewi () cisco com>> wrote:
Hello,

                Can you provide a sample of the rule/conf you are trying to use as well as a pcap of the offending 
traffic?

The section on uricontent is here: http://manual.snort.org/node32.html#SECTION004523000000000000000

Make sure you are not trying to match on content before its normalized as listed in the manual:

“The uricontent keyword in the Snort rule language searches the NORMALIZED request URI field. This is equivalent to 
using the http_uri modifier to a content keyword. As such if you are writing rules that include things that are 
normalized, such as %2f or directory traversals, these rules will not alert.”


Hope this helps.


Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112<tel:443.430.7112>
Email: allewi () cisco com<mailto:allewi () cisco com>

From: Mohammad Rastgoo [mailto:mohammad () synapti ca<mailto:mohammad () synapti ca>]
Sent: Saturday, February 14, 2015 7:42 PM
To: snort-sigs () lists sourceforge net<mailto:snort-sigs () lists sourceforge net>
Subject: [Snort-sigs] HTTP Get Flood


Hi,
Thanks for reading this.
My site has been receiving attacks for a while now and I've been able to stop them using snort + pfsense. Most of them 
were stopped just by using uri-content in the rule.
Today I've been receiving Get attacks on the main page. It really seems too simple but any rule I have tried has not 
blocked any IP addresses.
Would someone please guide me to the right direction?

Thanks



--
Mohammad Rastgoo
Founder & CEO

------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!