[Snort-users] Help with Snort rule - httpd flood detection

permalink · #1 (**permalink**) 02-27-2005

This is a multi-part message in MIME format.

------=_NextPart_000_03AD_01C51C36.0F9BFD20
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Hey everyone. I have a bit of an obscure request...
I would go through the list archives to see how many times this has been =
posted before, but since I'm not exactly sure what I should be looking =
for, I am hoping someone here can give me a hand.
I have Snort running all fine and happy, but I can't seem to find the =
one rule that brought me to install it in the first place. What's =
happening is I have one little pathetic script kiddie with a little =
botnet (ain't he cute?) hammering a few sites on my server. The only =
real pattern to it is his annoying use of invalid or obscene "referring =
URL's"... sort of his trademark.
Now, the FBI should be paying him a visit within the next 2 weeks =
(warrent is in process), but until then I want to give him something new =
to play with... namely Snort with snortsam. ;)
Find below a posting of the typical attack he is running against us. =
What I am hoping to do is somehow get Snort to recognise massive queries =
to a specified page, and then trigger a rule. Unfortunately, as I said, =
I can't find any rule that would fit this type of description. =
Essentially, it's a httpd GET attack... but all the GETs are, as far as =
the server is concerned, legitimate.
Does anyone know of a rule that I can use to detect this form of attack? =
The referring URLs are not always the same, so it's not a simple matter =
of blocking the URL from the referrals list in a htaccess file (been =
there, tried that).

82.54.214.236 - - [24/Feb/2005:13:57:49 -0500] "GET =
/index.php?showtopic=3D3964 HTTP/1.1" 200 48732 "http://lala.com" =
"Mozilla/4.0 (compatible)"
218.56.70.162 - - [24/Feb/2005:13:58:07 -0500] "GET =
/index.php?showtopic=3D3964 HTTP/1.1" 200 48732 "http://lala.com" =
"Mozilla/4.0 (compatible)"
82.49.104.29 - - [24/Feb/2005:13:58:45 -0500] "GET =
/index.php?showtopic=3D3964 HTTP/1.1" 200 48732 "http://lala.com" =
"Mozilla/4.0 (compatible)"
82.49.19.186 - - [24/Feb/2005:13:59:02 -0500] "GET =
/index.php?showtopic=3D3964 HTTP/1.1" 200 48732 "http://lala.com" =
"Mozilla/4.0 (compatible)"
82.54.214.236 - - [24/Feb/2005:13:59:17 -0500] "GET =
/index.php?showtopic=3D3964 HTTP/1.1" 200 47186 "http://lala.com" =
"Mozilla/4.0 (compatible)"
82.51.119.28 - - [24/Feb/2005:13:59:35 -0500] "GET =
/index.php?showtopic=3D3964 HTTP/1.1" 200 48732 "http://lala.com" =
"Mozilla/4.0 (compatible)"
82.51.116.107 - - [24/Feb/2005:14:01:15 -0500] "GET =
/index.php?showtopic=3D3964 HTTP/1.1" 200 48732 "http://lala.com" =
"Mozilla/4.0 (compatible)"
218.56.70.162 - - [24/Feb/2005:14:01:22 -0500] "GET =
/index.php?showtopic=3D3964 HTTP/1.1" 200 47186 "http://lala.com" =
"Mozilla/4.0 (compatible)"
220.184.97.129 - - [24/Feb/2005:14:01:34 -0500] "GET =
/index.php?showtopic=3D3964 HTTP/1.1" 200 48732 "http://lala.com" =
"Mozilla/4.0 (compatible)"
218.56.70.162 - - [24/Feb/2005:14:01:49 -0500] "GET =
/index.php?showtopic=3D3964 HTTP/1.1" 200 47186 "http://lala.com" =
"Mozilla/4.0 (compatible)"
82.54.214.236 - - [24/Feb/2005:14:04:00 -0500] "GET =
/index.php?showtopic=3D3964 HTTP/1.1" 200 47186 "http://lala.com" =
"Mozilla/4.0 (compatible)"
218.83.107.4 - - [24/Feb/2005:14:05:42 -0500] "GET =
/index.php?showtopic=3D3964 HTTP/1.1" 200 48732 "http://lala.com" =
"Mozilla/4.0 (compatible)"
82.52.83.81 - - [24/Feb/2005:14:06:11 -0500] "GET =
/index.php?showtopic=3D3964 HTTP/1.1" 200 48732 "http://lala.com" =
"Mozilla/4.0 (compatible)"
218.83.107.4 - - [24/Feb/2005:14:06:16 -0500] "GET =
/index.php?showtopic=3D3964 HTTP/1.1" 200 48732 "http://lala.com" =
"Mozilla/4.0 (compatible)"
218.83.107.4 - - [24/Feb/2005:14:06:27 -0500] "GET =
/index.php?showtopic=3D3964 HTTP/1.1" 200 48732 "http://lala.com" =
"Mozilla/4.0 (compatible)"
82.52.83.81 - - [24/Feb/2005:14:06:58 -0500] "GET =
/index.php?showtopic=3D3964 HTTP/1.1" 200 48732 "http://lala.com" =
"Mozilla/4.0 (compatible)"
217.95.3.221 - - [24/Feb/2005:14:07:01 -0500] "GET =
/index.php?showtopic=3D3964 HTTP/1.1" 200 48734 "http://lala.com" =
"Mozilla/4.0 (compatible)"
------=_NextPart_000_03AD_01C51C36.0F9BFD20
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2900.2604" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff background=3D"">Hey =
everyone. =20
I have a bit of an obscure request... I would go through the list =
archives to=20
see how many times this has been posted before, but since I'm not =
exactly sure=20
what I should be looking for, I am hoping someone here can give me a =
hand. I=20
have Snort running all fine and happy, but I can't seem to find the one =
rule=20
that brought me to install it in the first place.  What's happening =
is I=20
have one little pathetic script kiddie with a little botnet (ain't he =
cute?)=20
hammering a few sites on my server.  The only real pattern to it is =
his=20
annoying use of invalid or obscene "referring URL's"... sort of his=20
trademark. Now, the FBI should be paying him a visit within the next =
2 weeks=20
(warrent is in process), but until then I want to give him something new =
to play=20
with... namely Snort with snortsam.  ;) Find below a posting of =
the=20
typical attack he is running against us.  What I am hoping to do is =
somehow=20
get Snort to recognise massive queries to a specified page, and then =
trigger a=20
rule.  Unfortunately, as I said, I can't find any rule that would =
fit this=20
type of description.  Essentially, it's a httpd GET attack... but =
all the=20
GETs are, as far as the server is concerned, legitimate. Does anyone =
know of=20
a rule that I can use to detect this form of attack?  The referring =
URLs=20
are not always the same, so it's not a simple matter of blocking the URL =
from=20
the referrals list in a htaccess file (been there, tried=20
that). 82.54.214.236 - - [24/Feb/2005:13:57:49 -0500] "GET=20
/index.php?showtopic=3D3964 HTTP/1.1" 200 48732 "http://lala.com" =
"Mozilla/4.0=20
(compatible)" 218.56.70.162 - - [24/Feb/2005:13:58:07 -0500] "GET=20
/index.php?showtopic=3D3964 HTTP/1.1" 200 48732 "http://lala.com" =
"Mozilla/4.0=20
(compatible)" 82.49.104.29 - - [24/Feb/2005:13:58:45 -0500] "GET=20
/index.php?showtopic=3D3964 HTTP/1.1" 200 48732 "http://lala.com" =
"Mozilla/4.0=20
(compatible)" 82.49.19.186 - - [24/Feb/2005:13:59:02 -0500] "GET=20
/index.php?showtopic=3D3964 HTTP/1.1" 200 48732 "http://lala.com" =
"Mozilla/4.0=20
(compatible)" 82.54.214.236 - - [24/Feb/2005:13:59:17 -0500] "GET=20
/index.php?showtopic=3D3964 HTTP/1.1" 200 47186 "http://lala.com" =
"Mozilla/4.0=20
(compatible)" 82.51.119.28 - - [24/Feb/2005:13:59:35 -0500] "GET=20
/index.php?showtopic=3D3964 HTTP/1.1" 200 48732 "http://lala.com" =
"Mozilla/4.0=20
(compatible)" 82.51.116.107 - - [24/Feb/2005:14:01:15 -0500] "GET=20
/index.php?showtopic=3D3964 HTTP/1.1" 200 48732 "http://lala.com" =
"Mozilla/4.0=20
(compatible)" 218.56.70.162 - - [24/Feb/2005:14:01:22 -0500] "GET=20
/index.php?showtopic=3D3964 HTTP/1.1" 200 47186 "http://lala.com" =
"Mozilla/4.0=20
(compatible)" 220.184.97.129 - - [24/Feb/2005:14:01:34 -0500] "GET=20
/index.php?showtopic=3D3964 HTTP/1.1" 200 48732 "http://lala.com" =
"Mozilla/4.0=20
(compatible)" 218.56.70.162 - - [24/Feb/2005:14:01:49 -0500] "GET=20
/index.php?showtopic=3D3964 HTTP/1.1" 200 47186 "http://lala.com" =
"Mozilla/4.0=20
(compatible)" 82.54.214.236 - - [24/Feb/2005:14:04:00 -0500] "GET=20
/index.php?showtopic=3D3964 HTTP/1.1" 200 47186 "http://lala.com" =
"Mozilla/4.0=20
(compatible)" 218.83.107.4 - - [24/Feb/2005:14:05:42 -0500] "GET=20
/index.php?showtopic=3D3964 HTTP/1.1" 200 48732 "http://lala.com" =
"Mozilla/4.0=20
(compatible)" 82.52.83.81 - - [24/Feb/2005:14:06:11 -0500] "GET=20
/index.php?showtopic=3D3964 HTTP/1.1" 200 48732 "http://lala.com" =
"Mozilla/4.0=20
(compatible)" 218.83.107.4 - - [24/Feb/2005:14:06:16 -0500] "GET=20
/index.php?showtopic=3D3964 HTTP/1.1" 200 48732 "http://lala.com" =
"Mozilla/4.0=20
(compatible)" 218.83.107.4 - - [24/Feb/2005:14:06:27 -0500] "GET=20
/index.php?showtopic=3D3964 HTTP/1.1" 200 48732 "http://lala.com" =
"Mozilla/4.0=20
(compatible)" 82.52.83.81 - - [24/Feb/2005:14:06:58 -0500] "GET=20
/index.php?showtopic=3D3964 HTTP/1.1" 200 48732 "http://lala.com" =
"Mozilla/4.0=20
(compatible)" 217.95.3.221 - - [24/Feb/2005:14:07:01 -0500] "GET=20
/index.php?showtopic=3D3964 HTTP/1.1" 200 48734 "http://lala.com" =
"Mozilla/4.0=20
(compatible)"</BODY></HTML>

------=_NextPart_000_03AD_01C51C36.0F9BFD20--

-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode