Snort mailing list archives
Re: Detecting benchmarks
From: "Pawel Rogocz" <pawel () rogocz com>
Date: Wed, 8 May 2002 20:47:03 -0700
Erek, let's put it this way: If someone sends me 1000+ http requests from the same IP in one minute I would like to know about it. Can one of snort's modules generate alert when something like this happens ? I do not care about signatures of the attack. These requests might be valid HTTP requests. There is plenty of broken proxy servers out there. What I am concerned with, is the number of these requests. I would imagine the portscan module could trigger an alert upon seeing 1000+ SYN packets going to the same IP/port in a very short time ... cheers, Pawel ----- Original Message ----- From: "Erek Adams" <erek () theadamsfamily net> To: "Pawel Rogocz" <pawel () rogocz com> Cc: <snort-users () lists sourceforge net> Sent: Wednesday, May 08, 2002 2:14 PM Subject: Re: [Snort-users] Detecting benchmarks
On Wed, 8 May 2002, Pawel Rogocz wrote:I need to be able to detect when a load generator is used against my
site.
Let's say someone runs Apache Benchmark or a similar tool. Which processor should I use ? The portscan module does not seem to be picking up these types of attacks .... ( at least not in v 1.8.1 )First things first: Get to the most current stable version 1.8.6. 1.8.7
is
in the second round of beta testing and is very stable, but not 'released' yet. Second: Define what you really want. "The portscan module does not seem
to
be picking up these types of attacks"--What types of attacks? From what?From where? To where? There's a ton of questions to be considered
here...
From what I'm reading between the lines: You want to know if someone
uses the
Apache Benchmark tool to run "beat" on your site. If that's the case, download the tool, run it on your server while dumping the packets, and
then
see if there is a common signature that you could build a rule for. Hope that helps some! ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net
_______________________________________________________________ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: bandwidth () sourceforge net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Detecting benchmarks Pawel Rogocz (May 08)
- Re: Detecting benchmarks Erek Adams (May 08)
- Re: Detecting benchmarks Pawel Rogocz (May 08)
- Re: Detecting benchmarks Erek Adams (May 08)
- Re: Detecting benchmarks Pawel Rogocz (May 10)
- Re: Detecting benchmarks Erek Adams (May 10)
- Re: Detecting benchmarks Pawel Rogocz (May 08)
- Re: Detecting benchmarks Erek Adams (May 08)