Snort mailing list archives
Snort Sigature based on time
From: Ellis Corey <Corey.Ellis () comverse com>
Date: Tue, 17 Sep 2002 17:17:30 -0400
Hi, I would like to know how to write a signature to catch the following scenario. a user sending multiple valid HTTP request to a web server from the same IP in a given time frame (say 20 identical requests in 5 secs). I want to block this ip, if this scenario happens. I have a string I can look for in the HTTP header also "WebRegistration". We are getting bombarded by user WebRegistrations from this one user. When you block his ip, he just switches it, and uses another one. I want to see if Snort can automate this detection and block the requests on the fly. Can it be done. Thanks ------------------------------------------------------- This SF.NET email is sponsored by: AMD - Your access to the experts on Hammer Technology! Open Source & Linux Developers, register now for the AMD Developer Symposium. Code: EX8664 http://www.developwithamd.com/developerlab _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort Sigature based on time Ellis Corey (Sep 17)
- Re: Snort Sigature based on time Jason (Sep 17)
- Re: Snort Sigature based on time twig les (Sep 18)
- Re: Snort Sigature based on time Jason (Sep 18)
- Re: Snort Sigature based on time twig les (Sep 18)
- Re: Snort Sigature based on time Jason (Sep 17)