Solved

How about DOS rule of Snort?

Posted on 2009-07-15
6
972 Views
Last Modified: 2013-11-29
I install ok Snort + IDSCenter + Winpcap
OS: w2003

Snort run well, but I have not rule for DOS HTTP
my server run IIS
I 'attack' DOS by sending 1000 query/s to home page, but Snort not recorgnize DOS

What about DOS rules for snort ?

Thanks!
0
Comment
Question by:sunwsposelr60068
  • 3
  • 2
6 Comments
 
LVL 7

Expert Comment

by:Phateon
ID: 24869768
This is an old .conf file, but you might try it - http://www.0xdeadbeef.info/conf/snort.conf.190
0
 

Author Comment

by:sunwsposelr60068
ID: 24875505
I tried, not success, because have not RULE files, only configfile?
0
 
LVL 7

Expert Comment

by:Phateon
ID: 24877346
Yes. It is a config file.
0
 

Author Comment

by:sunwsposelr60068
ID: 24877715
but how about rules to recorgnize DOS HTTP?
0
 
LVL 7

Accepted Solution

by:
Phateon earned 250 total points
ID: 24877738
From the .conf file:
#########################################################
# Section #1 (Variables): Service ports
#
# This allows Snort to look for attacks directed to a
# specific application only on the ports that it runs on.
# This also improves overall performance of Snort.
#
# Ports you run Web servers on
var HTTP_PORTS 80
# Ports you want to look for shellcode on.
var SHELLCODE_PORTS !$HTTP_PORTS
# Ports you run Oracle servers on
var ORACLE_PORTS 1521

#########################################################
# Section #1 (Variables): Service ports
#
# This allows Snort to look for attacks directed to a
# specific application only on the ports that it runs on.
# This also improves overall performance of Snort.
#
# Ports you run Web servers on
var HTTP_PORTS 80
# Ports you want to look for shellcode on.
var SHELLCODE_PORTS !$HTTP_PORTS
# Ports you run Oracle servers on
var ORACLE_PORTS 1521

#########################################################
# Section #2 (Preprocessors): stream4
#
# Stateful inspection and stream reassembly for Snort.
# This preprocessor defeats stick/snot attacks against
# TCP rules and can statefully detect various portscan
# flavours, TCP fingerprinting, and more (see original
# snort.conf for further details). You can safely turn
# off "detect_scans" if you feel it's too noisy.
#
preprocessor stream4: detect_scans, disable_evasion_alerts
preprocessor stream4_reassemble


#########################################################
# Section #2 (Preprocessors): http_decode
#
# HTTP traffic normalizer. This preprocessor normalizes
# HTTP requests by converting any %XX character to his
# ASCII equivalent. Now supports unicode, iis_alt_unicode,
# double_encode, iis_flip_slash and full_whitespace
# (see original snort.conf for further details).
#
preprocessor http_decode: 80 unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace
0

Featured Post

Surfing Is Meant To Be Done Outdoors

Featuring its rugged IP67 compliant exterior and delivering broad, fast, and reliable Wi-Fi coverage, the AP322 is the ideal solution for the outdoors. Manage this AP with either a Firebox as a gateway controller, or with the Wi-Fi Cloud for an expanded set of management features

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Suggestion for the first 90 days as sysadmin in new company ? 8 67
PGP software 3 44
FSRREMOS 7 59
Red Hat Satellite report generator 4 26
Many businesses neglect disaster recovery and treat it as an after-thought. I can tell you first hand that data will be lost, hard drives die, servers will be hacked, and careless (or malicious) employees can ruin your data.
Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question