[Emerging-Sigs] Sig to detect DOS from an IP

PAURON, GUILLAUME (GUILLAUME) guillaume.pauron at alcatel-lucent.com
Fri Dec 21 01:47:06 HAST 2012


Hello,

We found theses sigs, I think that's the good ones :

SID 2009885 / 2009884 / etc

But What do you think about a sig like that so detect an anormal threashold of HTTP requests on a web server ??

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Unusually Fast HTTP ATTEMPT to server"; flow:established,to_server; threshold:
type threshold, track by_src, count 1000, seconds 60; classtype:attempted-recon; sid:X; rev:1;)

Regards

________________________________
De : emerging-sigs-bounces at lists.emergingthreats.net [mailto:emerging-sigs-bounces at lists.emergingthreats.net] De la part de PAURON, GUILLAUME (GUILLAUME)
Envoyé : vendredi 21 décembre 2012 10:07
À : emerging-sigs at emergingthreats.net
Objet : [Emerging-Sigs] Sig to detect DOS from an IP

Hello,

We are attacked by some guys and this is not detected by our snort with Emerging Threats. It is detected by our Nagios+Cacti because they are sending a lot of requests on the web servers.

The way to detect it is that the server is replying a lot of 404/500 error or other http code to the same IP in destination.

Could someone indicate me which kind of sig could help me to track that kind of behaviour ? (I suspect something with track_by_dst and a match with HTTP_code ... :))

I will continue to search a good signature maybe not activated yet on our side ...

Thank you in advance,
Pauron Guillaume

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20121221/adebd60e/attachment.html>


More information about the Emerging-sigs mailing list