[Emerging-Sigs] Sig to detect DOS from an IP

PAURON, GUILLAUME (GUILLAUME) guillaume.pauron at alcatel-lucent.com
Fri Dec 21 01:47:06 HAST 2012


We found theses sigs, I think that's the good ones :

SID 2009885 / 2009884 / etc

But What do you think about a sig like that so detect an anormal threashold of HTTP requests on a web server ??

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Unusually Fast HTTP ATTEMPT to server"; flow:established,to_server; threshold:
type threshold, track by_src, count 1000, seconds 60; classtype:attempted-recon; sid:X; rev:1;)


De : emerging-sigs-bounces at lists.emergingthreats.net [mailto:emerging-sigs-bounces at lists.emergingthreats.net] De la part de PAURON, GUILLAUME (GUILLAUME)
Envoyé : vendredi 21 décembre 2012 10:07
À : emerging-sigs at emergingthreats.net
Objet : [Emerging-Sigs] Sig to detect DOS from an IP


We are attacked by some guys and this is not detected by our snort with Emerging Threats. It is detected by our Nagios+Cacti because they are sending a lot of requests on the web servers.

The way to detect it is that the server is replying a lot of 404/500 error or other http code to the same IP in destination.

Could someone indicate me which kind of sig could help me to track that kind of behaviour ? (I suspect something with track_by_dst and a match with HTTP_code ... :))

I will continue to search a good signature maybe not activated yet on our side ...

Thank you in advance,
Pauron Guillaume

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20121221/adebd60e/attachment.html>

More information about the Emerging-sigs mailing list