Snort mailing list archives

Re: HTTP Get Flood

From: Jamie Riden <jamie.riden () gmail com>
Date: Sun, 15 Feb 2015 16:13:19 +0000

I know this is snort list, so forgive me changing the subject slightly.

Last time I dealt with anything on this scale (~12k hosts engaged in DoS by
repeated HTTP GETs) we used fail2ban on the logs and fed this into the
ipset fail2ban target to literally drop the traffic.

(After we made this change, and about another day of hammering us and
getting no particular effect, the attackers gave up. I don't think they
were particularly sophisticated though.)

Of course, you could equally well feed fail2ban from the snort logs and
achieve the same thing that way rather than going off the apache logs as we
were.

However in DoS conditions, the quicker you can drop the traffic the better,
so a "rude" DROP from iptables is preferred to a "polite" 403 message from
Apache, and so on.

cheers,
 Jamie

On 15 February 2015 at 16:03, Mohammad Rastgoo <mohammad () synapti ca> wrote:

Hi,

This is it:

  Srv PID Acc M CPU SS Req Conn Child Slot Client VHost Request  0-1 21953
0/75/3739 _ 0.87 3 128 0 0.28 42.46 92.50.31.242 www.domain.com:80 GET
/moon HTTP/1.1  1-May 21977 1/39/3034 K 0.98 9 93 0.7 0.31 36.24
92.50.31.242 www.domain.com:80 GET /moon HTTP/1.1  13-1 21241 0/168/3311 _
2.17 2 130 0 0.41 45.39 46.209.70.74 www.domain.com:80 GET /moon HTTP/1.1
15-1 22114 ######## K 0.18 11 93 0.7 0.05 20.92 46.209.70.74
www.domain.com:80 GET /moon HTTP/1.1  16-1 22186 0/14/3072 _ 0.63 11 88 0
0.1 32.13 46.209.70.74 www.domain.com:80 GET /moon HTTP/1.1  19-1 20925
0/114/2514 _ 2.49 12 88 0 0.35 30.51 46.209.70.74 www.domain.com:80 GET
/moon HTTP/1.1  20-1 22275 0/3/3303 _ 0.3 5 129 0 0.02 31.76 46.209.13.250
www.domain.com:80 GET /moon HTTP/1.1

On Sun, Feb 15, 2015 at 9:00 AM, Al Lewis (allewi) <allewi () cisco com>
wrote:

 Hello,



                Can you provide a sample of the rule/conf you are trying
to use as well as a pcap of the offending traffic?



The section on uricontent is here:
http://manual.snort.org/node32.html#SECTION004523000000000000000



Make sure you are not trying to match on content before its normalized as
listed in the manual:



“The uricontent keyword in the Snort rule language searches the
NORMALIZED request URI field. This is equivalent to using the http_uri
modifier to a content keyword. As such if you are writing rules that
include things that are normalized, such as %2f or directory traversals,
these rules will not alert.”





Hope this helps.





Albert Lewis

QA Software Engineer

SOURCE*fire*, Inc. now part of *Cisco*

9780 Patuxent Woods Drive
Columbia, MD 21046

Phone: (office) 443.430.7112

Email: allewi () cisco com



*From:* Mohammad Rastgoo [mailto:mohammad () synapti ca]
*Sent:* Saturday, February 14, 2015 7:42 PM
*To:* snort-sigs () lists sourceforge net
*Subject:* [Snort-sigs] HTTP Get Flood




 Hi,

Thanks for reading this.

My site has been receiving attacks for a while now and I've been able to
stop them using snort + pfsense. Most of them were stopped just by using
uri-content in the rule.

Today I've been receiving Get attacks on the main page. It really seems
too simple but any rule I have tried has not blocked any IP addresses.

Would someone please guide me to the right direction?

Thanks




--
Mohammad Rastgoo
Founder & CEO


------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is
your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!




-- 
Jamie Riden / jamie () honeynet org / jamie.riden () gmail com
http://uk.linkedin.com/in/jamieriden

------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

HTTP Get Flood Mohammad Rastgoo (Feb 14)
- Re: HTTP Get Flood Al Lewis (allewi) (Feb 15)
  - Re: HTTP Get Flood Mohammad Rastgoo (Feb 15)
    - Re: HTTP Get Flood Jamie Riden (Feb 15)
    - Re: HTTP Get Flood Al Lewis (allewi) (Feb 15)
    - Re: HTTP Get Flood Al Lewis (allewi) (Feb 15)