[Oisf-users] Hostbits?
Matt
matt at somedamn.com
Wed Feb 6 20:42:27 UTC 2013
Is there a way to tag hosts rather than flows? As a specific use case,
there's a model of Netgear router that sometimes gets stuck in a loop
flooding DNS requests. I'd like to be able to distinguish those from
other high volume DNS clients. One way to pick out a Netgear router is
DNS requests for time-a.netgear.com and time-b.netgear.com, but that's
not always what they flood. I'd like to be able to write something like
this:
# Set a hostbit with a 12 hour expiration
alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"Netgear
time-a.netgear.com"; content:"|06|time-a|07|netgear|03|com";
hostbits:set netgear, hours 12; hostbits:noalert)
alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"Broken Netgear Flood";
hostbits:isset netgear; threshold:type both, track by_src, count 60000,
seconds 600; classtype:denial-of-service;)
- Matt
More information about the Oisf-users
mailing list