[Emerging-Sigs] Sig to detect DOS from an IP
PAURON, GUILLAUME (GUILLAUME)
guillaume.pauron at alcatel-lucent.com
Fri Dec 21 01:47:06 HAST 2012
We found theses sigs, I think that's the good ones :
SID 2009885 / 2009884 / etc
But What do you think about a sig like that so detect an anormal threashold of HTTP requests on a web server ??
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Unusually Fast HTTP ATTEMPT to server"; flow:established,to_server; threshold:
type threshold, track by_src, count 1000, seconds 60; classtype:attempted-recon; sid:X; rev:1;)
De : emerging-sigs-bounces at lists.emergingthreats.net [mailto:emerging-sigs-bounces at lists.emergingthreats.net] De la part de PAURON, GUILLAUME (GUILLAUME)
Envoyé : vendredi 21 décembre 2012 10:07
À : emerging-sigs at emergingthreats.net
Objet : [Emerging-Sigs] Sig to detect DOS from an IP
We are attacked by some guys and this is not detected by our snort with Emerging Threats. It is detected by our Nagios+Cacti because they are sending a lot of requests on the web servers.
The way to detect it is that the server is replying a lot of 404/500 error or other http code to the same IP in destination.
Could someone indicate me which kind of sig could help me to track that kind of behaviour ? (I suspect something with track_by_dst and a match with HTTP_code ... :))
I will continue to search a good signature maybe not activated yet on our side ...
Thank you in advance,
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Emerging-sigs