Snort Sigature based on time

[Ellis Corey <Corey.Ellis () comverse com>]

Hi,

I would like to know how to write a signature to catch the following
scenario.

a user sending multiple valid HTTP request to a web server from the same IP
in a given time frame (say 20 identical requests in 5 secs).  I want to
block this ip, if this scenario happens.   I have a string I can look for in
the HTTP header also "WebRegistration".  We are getting bombarded by user
WebRegistrations from this one user.  When you block his ip, he just
switches it, and uses another one.  I want to see if Snort can automate this
detection and block the requests on the fly.


Can it be done. 


Thanks


-------------------------------------------------------
This SF.NET email is sponsored by: AMD - Your access to the experts
on Hammer Technology! Open Source & Linux Developers, register now
for the AMD Developer Symposium. Code: EX8664
http://www.developwithamd.com/developerlab
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users