Snort rule to detect http flood
Is it possible to use Snort to detect valid repetitive HTTP GET requests? eg. a client machine is sending HTTP requests to flood a server.
Answer
Just fyi, it would be much more likely (and a much easier/more common attack) that your web server would get syn flooded before an "HTTP GET flood", so you would likely want to prevent this type of attack first.
Anyway, you can accomplish this with the detection_filter option and a simple content match. Let's say your web server's IP address is 192.168.1.5 and it is going over port 80 only, an example rule would be as follows:
alert tcp any any -> 192.168.1.5 80 (msg:"GET Request flood attempt"; \
flow:to_server,established; content:"GET"; nocase; http_method; \
detection_filter:track by_src, count 30, seconds 30; metadata: service http;)
This rule will fire on every GET request from a single IP address to 192.168.1.5 during one sampling period of 30 seconds, after the first 30 GET requests.
Example:
- 1.2.3.4 sends a GET request to 192.168.1.5, the 30 second counter will start and the count will be 1.
- 1.2.3.4 sends 29 more GET requests in 10 seconds, no alerts will be generated. The counter is at 30 and it has been 10 second.
- For the next 20 seconds any GET request from 1.2.3.4 to 192.168.1.5 will generate an alert.