Snort mailing list archives
Re: Detecting benchmarks
From: "Pawel Rogocz" <pawel () rogocz com>
Date: Fri, 10 May 2002 02:42:19 -0700
Erek, I did some more testing using hping2. If I run hping -p 80 -i u3000 -S MYIP it will send 300 SYN pkts/sec to the same port (80), but snort will not say a word. Only after I start hitting ^Z which changes the destination port, spp_portscan will notice something is going on :-( Pawel ----- Original Message ----- From: "Erek Adams" <erek () theadamsfamily net> To: "Pawel Rogocz" <pawel () rogocz com> Cc: <snort-users () lists sourceforge net> Sent: Wednesday, May 08, 2002 10:01 PM Subject: Re: [Snort-users] Detecting benchmarks
On Wed, 8 May 2002, Pawel Rogocz wrote:let's put it this way: If someone sends me 1000+ http requests from the
same
IP in one minute I would like to know about it.Certes. I can understand that.Can one of snort's modules generate alert when something like this
happens ?
Hrm... Only thing that I can think of would b the portscan pre-processor.I do not care about signatures of the attack. These requests might be
valid
HTTP requests. There is plenty of broken proxy servers out there. What I
am
concerned with, is the number of these requests.Yeppers. Makes good sense.I would imagine the portscan module could trigger an alert upon seeing
1000+
SYN packets going to the same IP/port in a very short time ...From reading the code, it seems that if you pass it thr right 'homenet'
to
watch and the amount of requests vs. time, then it should. I'll have to dig in more and see to get a good answer for you. I'm not a coder, I just play one on TV. ;-) Lemme have a go thru the code and see what I can turn up. ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net
_______________________________________________________________ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: bandwidth () sourceforge net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Detecting benchmarks Pawel Rogocz (May 08)
- Re: Detecting benchmarks Erek Adams (May 08)
- Re: Detecting benchmarks Pawel Rogocz (May 08)
- Re: Detecting benchmarks Erek Adams (May 08)
- Re: Detecting benchmarks Pawel Rogocz (May 10)
- Re: Detecting benchmarks Erek Adams (May 10)
- Re: Detecting benchmarks Pawel Rogocz (May 08)
- Re: Detecting benchmarks Erek Adams (May 08)