[Oisf-users] HTTP domain whitelist?
Cooper F. Nelson
cnelson at ucsd.edu
Mon Jan 27 00:01:42 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 1/26/2014 4:34 AM, Peter Manev wrote:
>
>> I like that too. I am also fond of the idea to be able to use a BPF
>> like filter for domains at the start line as well.
The problem with that is that often high-traffic domains resolve to
multiple IPs. libhtp + pass rules mitigate this issue nicely.
> Anyways, it turns out that another culprit in our performance issues
> over the past few weeks were a few bad IPs SYN flooding us. Which, btw,
> I'll note that suricata+ETPro didn't detect.
>
>> Maybe the ETPro mail list would be able to offer some help, if you let
>> them know about your troubles?
Based on the examples I wrote a local sig. to detect SYN floods.
- --
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQEcBAEBAgAGBQJS5aHmAAoJEKIFRYQsa8FWqSEH/iPuFtPg9N6hbaVFRSVRlGWy
Egfw72bIAZ6k//kSrx4AmwIBUvcXehtFXidUBQBldRd+nQi4uqC1Z70ctOxNQ3v9
4PQOwad0uR43PcgJgA3ZbZwvL3v+83LPUW7+zWviayENrrgMtsTaxLH8IHdjRMO8
NEYoUYNlqbVma/D67IazPyINIlBQmO+lmzdn8yHVIMnTh13FfxTShIswMDjfS3cG
xS467Mf7T3ElduFPpWtJQKNySAWxNaKegorDSSXcyHIvAUzPFcDiUG/kQUyki0pe
hpD/fD1menCXdnyA8AnkM1UeEsk3a/2LAW+f40VxiJ81h/0n/8wgA9W/xdV7HqU=
=krQL
-----END PGP SIGNATURE-----
More information about the Oisf-users
mailing list