Re: Detecting benchmarks

[Erek Adams <erek () theadamsfamily net>]

On Wed, 8 May 2002, Pawel Rogocz wrote:

> let's put it this way: If someone sends me 1000+ http requests from the same
> IP in one minute I would like to know about it.

Certes.  I can understand that.

> Can one of snort's modules generate alert when something like this happens ?

Hrm...  Only thing that I can think of would b the portscan pre-processor.

> I do not care about signatures of the attack. These requests might be valid
> HTTP requests. There is plenty of broken proxy servers out there. What I am
> concerned with, is the number of these requests.

Yeppers.  Makes good sense.

> I would imagine the portscan module could trigger an alert upon seeing 1000+
> SYN packets going to the same IP/port in a very short time ...

> From reading the code, it seems that if you pass it thr right 'homenet' to
watch and the amount of requests vs. time, then it should.

I'll have to dig in more and see to get a good answer for you.  I'm not a
coder, I just play one on TV. ;-)

Lemme have a go thru the code and see what I can turn up.

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________________________

Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: bandwidth () sourceforge net
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users