Re: Snort Inline

[Matt Kettler <mkettler () evi-inc com>]

Xavier Cabrera wrote:
> Hello:
>
> Anyone have a rule to stop a DoS attack to apache whit snort inline?
>
> i Have this rule:
>
> drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"XavierC  Try
> to stop http DOS Attack";  flags:S; threshold: type both, track by_src,
> count 5, seconds 1; classtype:misc-activity; sid:3000000; rev:1;)
<snip>

> but when i want to make a real connection for a good ip i can't see the
> website....... and no log appears for the good ip!!!
>
> What can be happend?

I don't know why you didn't get a log, but 5 connections per second is an
outrageously low threshold. Try 20 or 30 as a bare minimum.

Many web browsers will open every embedded element of your page simultaneously,
or in batches of 5 at a time and new ones are fired off as fast as the previous
batch finishes. Each element of the page usually gets its own connection, so If
you've got a page with 100 images on it, that's 100 connections.


-------------------------------------------------------
This SF.Net email is sponsored by: NEC IT Guy Games.  How far can you shotput
a projector? How fast can you ride your desk chair down the office luge track?
If you want to score the big prize, get to know the little guy.  
Play to win an NEC 61" plasma display: http://www.necitguy.com/?r=20
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users