Re: Snort Sigature based on time

[Jason <security () brvenik com>]

Instead of blocking and causing a DoS to yourself snort can \send resets 
to the specific connection once identified or send back a denied content 
page. Identifying the abuser should be possible with thresholding. THis 
happens once ot twice and I would expect them to give up or slow down 
considerably.

twig les wrote:

> We've gone thru this scenario at my work with
> Netrangers (they can update Cisco acls).  We don't
> like it.  Basically it can work if you have a
> bleed-off period (like BGP flaps) and a list of IPs
> that can never be blocked (root nameservers for
> example).
>
> Still, it's possible to DoS yourself.  
>
>
> --- Jason <security () brvenik com> wrote:
>  
>
> > This capability was added on 8/26 by the looks of
> > the changelog.
> >
> > 2002-08-26  mfr <roesch () sourcefire com>
> >    * src/threshold.c src/threshold.h src/detect.c
> > src/rules.h src/parser.c
> >         added thresholds to snort rules language, docs to
> > come
> >
> > I haven't had a chance to check it out and there are
> > no docs on it yet but the basic capability 
> >
> > should be there to do just what you are looking for.
> >
> >
> >
> >    
> http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/snort/snort/src/threshold.c?rev=1.1&content-type=text/vnd.viewcvs-ma
>  
>
> > from there looks like this as a rule option for you
> > would look like
> >
> > threshold:5,ip
> > you could also do it by event or port
> >
> > the blocking part can be taken up as a react or resp
> > or you can do the firewall reconfig stuff but the
> > list 
> > will happily speak to the dangers there.
> >
> > Jason
> >
> > Ellis Corey wrote:
> >
> >    
> >
> > > Hi,
> > >
> > > I would like to know how to write a signature to
> > >      
> > catch the following
> >    
> >
> > > scenario.
> > >
> > > a user sending multiple valid HTTP request to a web
> > >      
> > server from the same IP
> >    
> >
> > > in a given time frame (say 20 identical requests in
> > >      
> > 5 secs).  I want to
> >    
> >
> > > block this ip, if this scenario happens.   I have a
> > >      
> > string I can look for in
> >    
> >
> > > the HTTP header also "WebRegistration".  We are
> > >      
> > getting bombarded by user
> >    
> >
> > > WebRegistrations from this one user.  When you
> > >      
> > block his ip, he just
> >    
> >
> > > switches it, and uses another one.  I want to see
> > >      
> > if Snort can automate this
> >    
> >
> > > detection and block the requests on the fly.
> > >
> > >
> > > Can it be done. 
> > >
> > >
> > > Thanks
> > >
> > >
> > >      
> > -------------------------------------------------------
> >    
> >
> > > This SF.NET email is sponsored by: AMD - Your
> > >      
> > access to the experts
> >    
> >
> > > on Hammer Technology! Open Source & Linux
> > >      
> > Developers, register now
> >    
> >
> > > for the AMD Developer Symposium. Code: EX8664
> > > http://www.developwithamd.com/developerlab
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or
> > >      
> > unsubscribe:
> >
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> >    
> >
> > > Snort-users list archive:
> > >      
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >    
> >
> > >      
> >
> >
> >
> >
> >    
> -------------------------------------------------------
>  
>
> > This SF.NET email is sponsored by: AMD - Your access
> > to the experts
> > on Hammer Technology! Open Source & Linux
> > Developers, register now
> > for the AMD Developer Symposium. Code: EX8664
> > http://www.developwithamd.com/developerlab
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or
> > unsubscribe:
> >
> >    
> https://lists.sourceforge.net/lists/listinfo/snort-users
>  
>
> > Snort-users list archive:
> >
> >    
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
> =====
> -----------------------------------------------------------
> Heavy metal made me do it.                        
> -----------------------------------------------------------
>
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Health - Feel better, live better
> http://health.yahoo.com
>
>  



-------------------------------------------------------
This SF.NET email is sponsored by: AMD - Your access to the experts
on Hammer Technology! Open Source & Linux Developers, register now
for the AMD Developer Symposium. Code: EX8664
http://www.developwithamd.com/developerlab
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users