Snort mailing list archives
Re: Snort Sigature based on time
From: twig les <twigles () yahoo com>
Date: Wed, 18 Sep 2002 13:05:11 -0700 (PDT)
We've gone thru this scenario at my work with Netrangers (they can update Cisco acls). We don't like it. Basically it can work if you have a bleed-off period (like BGP flaps) and a list of IPs that can never be blocked (root nameservers for example). Still, it's possible to DoS yourself. --- Jason <security () brvenik com> wrote:
This capability was added on 8/26 by the looks of the changelog. 2002-08-26 mfr <roesch () sourcefire com> * src/threshold.c src/threshold.h src/detect.c src/rules.h src/parser.c added thresholds to snort rules language, docs to come I haven't had a chance to check it out and there are no docs on it yet but the basic capability should be there to do just what you are looking for.
http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/snort/snort/src/threshold.c?rev=1.1&content-type=text/vnd.viewcvs-ma
from there looks like this as a rule option for you would look like threshold:5,ip you could also do it by event or port the blocking part can be taken up as a react or resp or you can do the firewall reconfig stuff but the list will happily speak to the dangers there. Jason Ellis Corey wrote:Hi, I would like to know how to write a signature tocatch the followingscenario. a user sending multiple valid HTTP request to a webserver from the same IPin a given time frame (say 20 identical requests in5 secs). I want toblock this ip, if this scenario happens. I have astring I can look for inthe HTTP header also "WebRegistration". We aregetting bombarded by userWebRegistrations from this one user. When youblock his ip, he justswitches it, and uses another one. I want to seeif Snort can automate thisdetection and block the requests on the fly. Can it be done. Thanks-------------------------------------------------------This SF.NET email is sponsored by: AMD - Youraccess to the expertson Hammer Technology! Open Source & LinuxDevelopers, register nowfor the AMD Developer Symposium. Code: EX8664 http://www.developwithamd.com/developerlab _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options orunsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users list archive:http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------------------------------------------------
This SF.NET email is sponsored by: AMD - Your access to the experts on Hammer Technology! Open Source & Linux Developers, register now for the AMD Developer Symposium. Code: EX8664 http://www.developwithamd.com/developerlab _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users ===== ----------------------------------------------------------- Heavy metal made me do it. ----------------------------------------------------------- __________________________________________________ Do You Yahoo!? Yahoo! Health - Feel better, live better http://health.yahoo.com ------------------------------------------------------- This SF.NET email is sponsored by: AMD - Your access to the experts on Hammer Technology! Open Source & Linux Developers, register now for the AMD Developer Symposium. Code: EX8664 http://www.developwithamd.com/developerlab _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort Sigature based on time Ellis Corey (Sep 17)
- Re: Snort Sigature based on time Jason (Sep 17)
- Re: Snort Sigature based on time twig les (Sep 18)
- Re: Snort Sigature based on time Jason (Sep 18)
- Re: Snort Sigature based on time twig les (Sep 18)
- Re: Snort Sigature based on time Jason (Sep 17)