Snort mailing list archives
Re: quick sanity check please?
From: James Lay <jlay () slave-tothe-box net>
Date: Fri, 15 Nov 2013 06:01:17 -0700
Your last rule pcre could be: [0-9]{7,8} I think. James On Nov 15, 2013, at 5:51 AM, Jamie Riden <jamie.riden () gmail com> wrote:
Have a client experiencing a DDoS via POST requests at the moment, and have hacked up the following, which do match the offending packets they're seeing, but I've got no "known good" traffic to check for FPs. Can anyone see anything majorly dumb about this, before it gets loaded onto the production firewall ? :) # check for packets with POST, and Referer: but not a sensible one alert tcp any any -> any 80 (msg:"POST with bad referer"; content:"POST"; content:"Referer|3A| "; within:256; content:!".co.uk"; within:48; sid:12009099; rev:1;) #check for POSTs without Referer alert tcp any any -> any 80 (msg:"POST with no referer"; content:"POST"; content:!"Referer|3A| "; within:256; sid:12009098; rev:1;) #check for Content-Length of >10,000,000 alert tcp any any -> any 80 (msg:"POST with silly content-length"; content:"POST"; pcre:"/Content-Length\x3a [0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]/"; sid:12009097; rev:1;) (I know the matches could be a lot tighter than they are...) Cheers, Jamie -- Jamie Riden / jamie () honeynet org / jamie.riden () gmail com http://uk.linkedin.com/in/jamieriden ------------------------------------------------------------------------------ DreamFactory - Open Source REST & JSON Services for HTML5 & Native Apps OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access Free app hosting. Or install the open source package on any LAMP server. Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native! http://pubads.g.doubleclick.net/gampad/clk?id=63469471&iu=/4140/ostg.clktrk _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Attachment:
signature.asc
Description: Message signed with OpenPGP using GPGMail
------------------------------------------------------------------------------ DreamFactory - Open Source REST & JSON Services for HTML5 & Native Apps OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access Free app hosting. Or install the open source package on any LAMP server. Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native! http://pubads.g.doubleclick.net/gampad/clk?id=63469471&iu=/4140/ostg.clktrk
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- quick sanity check please? Jamie Riden (Nov 15)
- Re: quick sanity check please? James Lay (Nov 15)
- <Possible follow-ups>
- Re: quick sanity check please? Y M (Nov 15)