Solved

How about DOS rule of Snort?

Posted on 2009-07-15
6
945 Views
Last Modified: 2013-11-29
I install ok Snort + IDSCenter + Winpcap
OS: w2003

Snort run well, but I have not rule for DOS HTTP
my server run IIS
I 'attack' DOS by sending 1000 query/s to home page, but Snort not recorgnize DOS

What about DOS rules for snort ?

Thanks!
0
Comment
Question by:sunwsposelr60068
  • 3
  • 2
6 Comments
 
LVL 7

Expert Comment

by:Phateon
ID: 24869768
This is an old .conf file, but you might try it - http://www.0xdeadbeef.info/conf/snort.conf.190
0
 

Author Comment

by:sunwsposelr60068
ID: 24875505
I tried, not success, because have not RULE files, only configfile?
0
 
LVL 7

Expert Comment

by:Phateon
ID: 24877346
Yes. It is a config file.
0
 

Author Comment

by:sunwsposelr60068
ID: 24877715
but how about rules to recorgnize DOS HTTP?
0
 
LVL 7

Accepted Solution

by:
Phateon earned 250 total points
ID: 24877738
From the .conf file:
#########################################################
# Section #1 (Variables): Service ports
#
# This allows Snort to look for attacks directed to a
# specific application only on the ports that it runs on.
# This also improves overall performance of Snort.
#
# Ports you run Web servers on
var HTTP_PORTS 80
# Ports you want to look for shellcode on.
var SHELLCODE_PORTS !$HTTP_PORTS
# Ports you run Oracle servers on
var ORACLE_PORTS 1521

#########################################################
# Section #1 (Variables): Service ports
#
# This allows Snort to look for attacks directed to a
# specific application only on the ports that it runs on.
# This also improves overall performance of Snort.
#
# Ports you run Web servers on
var HTTP_PORTS 80
# Ports you want to look for shellcode on.
var SHELLCODE_PORTS !$HTTP_PORTS
# Ports you run Oracle servers on
var ORACLE_PORTS 1521

#########################################################
# Section #2 (Preprocessors): stream4
#
# Stateful inspection and stream reassembly for Snort.
# This preprocessor defeats stick/snot attacks against
# TCP rules and can statefully detect various portscan
# flavours, TCP fingerprinting, and more (see original
# snort.conf for further details). You can safely turn
# off "detect_scans" if you feel it's too noisy.
#
preprocessor stream4: detect_scans, disable_evasion_alerts
preprocessor stream4_reassemble


#########################################################
# Section #2 (Preprocessors): http_decode
#
# HTTP traffic normalizer. This preprocessor normalizes
# HTTP requests by converting any %XX character to his
# ASCII equivalent. Now supports unicode, iis_alt_unicode,
# double_encode, iis_flip_slash and full_whitespace
# (see original snort.conf for further details).
#
preprocessor http_decode: 80 unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Suggested Solutions

It’s a strangely common occurrence that when you send someone their login details for a system, they can’t get in. This article will help you understand why it happens, and what you can do about it.
By this time the large percentage of day-to-day transactions have shifted to mobile banking; here are some overriding areas QAs must investigate while testing mobile banking apps.  
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now