Solved

How about DOS rule of Snort?

Posted on 2009-07-15
6
952 Views
Last Modified: 2013-11-29
I install ok Snort + IDSCenter + Winpcap
OS: w2003

Snort run well, but I have not rule for DOS HTTP
my server run IIS
I 'attack' DOS by sending 1000 query/s to home page, but Snort not recorgnize DOS

What about DOS rules for snort ?

Thanks!
0
Comment
Question by:sunwsposelr60068
  • 3
  • 2
6 Comments
 
LVL 7

Expert Comment

by:Phateon
ID: 24869768
This is an old .conf file, but you might try it - http://www.0xdeadbeef.info/conf/snort.conf.190
0
 

Author Comment

by:sunwsposelr60068
ID: 24875505
I tried, not success, because have not RULE files, only configfile?
0
 
LVL 7

Expert Comment

by:Phateon
ID: 24877346
Yes. It is a config file.
0
 

Author Comment

by:sunwsposelr60068
ID: 24877715
but how about rules to recorgnize DOS HTTP?
0
 
LVL 7

Accepted Solution

by:
Phateon earned 250 total points
ID: 24877738
From the .conf file:
#########################################################
# Section #1 (Variables): Service ports
#
# This allows Snort to look for attacks directed to a
# specific application only on the ports that it runs on.
# This also improves overall performance of Snort.
#
# Ports you run Web servers on
var HTTP_PORTS 80
# Ports you want to look for shellcode on.
var SHELLCODE_PORTS !$HTTP_PORTS
# Ports you run Oracle servers on
var ORACLE_PORTS 1521

#########################################################
# Section #1 (Variables): Service ports
#
# This allows Snort to look for attacks directed to a
# specific application only on the ports that it runs on.
# This also improves overall performance of Snort.
#
# Ports you run Web servers on
var HTTP_PORTS 80
# Ports you want to look for shellcode on.
var SHELLCODE_PORTS !$HTTP_PORTS
# Ports you run Oracle servers on
var ORACLE_PORTS 1521

#########################################################
# Section #2 (Preprocessors): stream4
#
# Stateful inspection and stream reassembly for Snort.
# This preprocessor defeats stick/snot attacks against
# TCP rules and can statefully detect various portscan
# flavours, TCP fingerprinting, and more (see original
# snort.conf for further details). You can safely turn
# off "detect_scans" if you feel it's too noisy.
#
preprocessor stream4: detect_scans, disable_evasion_alerts
preprocessor stream4_reassemble


#########################################################
# Section #2 (Preprocessors): http_decode
#
# HTTP traffic normalizer. This preprocessor normalizes
# HTTP requests by converting any %XX character to his
# ASCII equivalent. Now supports unicode, iis_alt_unicode,
# double_encode, iis_flip_slash and full_whitespace
# (see original snort.conf for further details).
#
preprocessor http_decode: 80 unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace
0

Featured Post

Give your grad a cloud of their own!

With up to 8TB of storage, give your favorite graduate their own personal cloud to centralize all their photos, videos and music in one safe place. They can save, sync and share all their stuff, and automatic photo backup helps free up space on their smartphone and tablet.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
It’s a strangely common occurrence that when you send someone their login details for a system, they can’t get in. This article will help you understand why it happens, and what you can do about it.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now