Re: Detecting benchmarks

[Erek Adams <erek () theadamsfamily net>]

On Wed, 8 May 2002, Pawel Rogocz wrote:

> I need to be able to detect when a load generator is used against my site.
> Let's say someone runs Apache Benchmark or a similar tool.
> Which processor should I use ?
> The portscan module does not seem to be picking up these types of
> attacks .... ( at least not in v 1.8.1 )

First things first:  Get to the most current stable version 1.8.6.  1.8.7 is
in the second round of beta testing and is very stable, but not 'released'
yet.

Second:  Define what you really want.  "The portscan module does not seem to
be picking up these types of attacks"--What types of attacks?  From what?
> From where?  To where?  There's a ton of questions to be considered here...

> From what I'm reading between the lines:  You want to know if someone uses the
Apache Benchmark tool to run "beat" on your site.  If that's the case,
download the tool, run it on your server while dumping the packets, and then
see if there is a common signature that you could build a rule for.

Hope that helps some!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________________________

Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: bandwidth () sourceforge net
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users