[Emerging-Sigs] Sig to detect DOS from an IP

PAURON, GUILLAUME (GUILLAUME) guillaume.pauron at alcatel-lucent.com
Thu Dec 20 23:07:03 HAST 2012


We are attacked by some guys and this is not detected by our snort with Emerging Threats. It is detected by our Nagios+Cacti because they are sending a lot of requests on the web servers.

The way to detect it is that the server is replying a lot of 404/500 error or other http code to the same IP in destination.

Could someone indicate me which kind of sig could help me to track that kind of behaviour ? (I suspect something with track_by_dst and a match with HTTP_code ... :))

I will continue to search a good signature maybe not activated yet on our side ...

Thank you in advance,
Pauron Guillaume

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20121221/f4df5769/attachment.html>

More information about the Emerging-sigs mailing list