Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Detecting benchmarks

From: "Pawel Rogocz" <pawel () rogocz com>
Date: Wed, 8 May 2002 20:47:03 -0700
Erek,

let's put it this way: If someone sends me 1000+ http requests from the same
IP
in one minute I would like to know about it.
Can one of snort's modules generate alert when something like this happens ?
I do not care about signatures of the attack. These requests might be valid
HTTP requests. There is plenty of broken proxy servers out there. What I am
concerned with,  is the number of these requests. I would imagine the
portscan
module could trigger an alert upon seeing 1000+ SYN packets going to the
same IP/port
in a very short time ...

cheers,

Pawel





----- Original Message -----
From: "Erek Adams" <erek () theadamsfamily net>
To: "Pawel Rogocz" <pawel () rogocz com>
Cc: <snort-users () lists sourceforge net>
Sent: Wednesday, May 08, 2002 2:14 PM
Subject: Re: [Snort-users] Detecting benchmarks



On Wed, 8 May 2002, Pawel Rogocz wrote:


I need to be able to detect when a load generator is used against my

site.

Let's say someone runs Apache Benchmark or a similar tool.
Which processor should I use ?
The portscan module does not seem to be picking up these types of
attacks .... ( at least not in v 1.8.1 )


First things first:  Get to the most current stable version 1.8.6.  1.8.7

is

in the second round of beta testing and is very stable, but not 'released'
yet.

Second:  Define what you really want.  "The portscan module does not seem

to

be picking up these types of attacks"--What types of attacks?  From what?

From where?  To where?  There's a ton of questions to be considered

here...



From what I'm reading between the lines:  You want to know if someone

uses the

Apache Benchmark tool to run "beat" on your site.  If that's the case,
download the tool, run it on your server while dumping the packets, and

then

see if there is a common signature that you could build a rule for.

Hope that helps some!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net



_______________________________________________________________

Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: bandwidth () sourceforge net
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: