Hi,
For the last week, traffic from Nokia`s proxy cluster (something for a Nokia browser?) has started to be considered a DOS attack from a program called HOIC(instead of LOIC). I suspect that the Snort rule is a bit to aggressive.
Here is typical HTTP request which will be stopped:
54.236.254.125 - - [16/Jul/2014:14:52:30 +0200] GET http://lovdata.no/resources/js/jquery-1.9.1.min.js HTTP/1.1 200 32793 http://lovdata.no/dokument/SF/forskrift/1988-05-15-356 Mozilla/5.0 (Series40; Nokia301.1/02.51; Profile/MIDP-2.1 Configuration/CLDC-1.1) Gecko/20100401 S40OviBrowser/5.0.0.0.31
(The IP goes to Nokia`s Amazon cluster, Nokia/Microsoft do not suspect it to be a DOS attack)
This is snort rule #21513:
Message........: MALWARE-TOOLS HOIC http denial of service attack
Details........: http://www.snort.org/search/sid/21513?r=1
Time...........: 2014-07-16 14:52:30
Packet dropped.: no
Priority.......: medium
Classification.: Detection of a Denial of Service Attack IP protocol....: 6 (TCP)
This thread was automatically locked due to age.